Appears to be incompatible with strict-dynamic content security policy

[InterLinked1]

I was doing some testing today and I noticed that the pages utilizing showdown.js were not working (the dynamic Markdown rendering). I investigated and tweaked some things with my Content Security Policy header, which is presently whitelist based. I tried adding strict-dynamic to it and then added a nonce to the script call (showdown.min.js) to see if that would fix it. It did not. The only way I could get it to work was by leaving unsafe-inline in my CSP but removing strict-dynamic and the nonce so that unsafe-inline could take full effect. The whole idea of strict-dynamic and nonces are that a properly written arbitrary script should be able to work, but either with or without strict-dynamic, this library does not work. Effectively, this project is going to break over time further if not rewritten - hoping this can be addressed! Is there a reason this can't be compatible with CSP3? Wondering if I should wait for it to become compatible or just apply a different CSP for pages utilizing showdownjs which uses unsafe-inline only on those pages.

[SyntaxRules]

Forgive my ignorance, is this because of ShowdownsXSS issue? https://github.com/showdownjs/showdown#xss-vulnerability

[InterLinked1]

Not 100% sure... CSPs dictate what code should be allowed to execute on a page, and if I recall correctly Showdown required extremely liberal rules to be set up to allow Showdown to work, which are considered a bad security practice today. CSPs help prevent XSS, though, so that may be related: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP