fix(offline): improve failure mode around package version injection

Also clarify comment on security header usage

Author: grega

public/service-worker.js

@@ -63,7 +63,7 @@ self.addEventListener("activate", (event) => {
   self.clients.claim();
 });
 
-// Pyodide needs SharedArrayBuffer which requires the page to be cross-origin isolated. That means serving COOP + COEP on the HTML response, and CORP on every cross-origin resource the page loads
+// Pyodide needs SharedArrayBuffer which requires the page to be cross-origin isolated. That means serving COOP + COEP on the HTML response, and CORP on every cross-origin resource the page loads. We already set these headers on editor-static.raspberrypi.org, but worth being explicit here for other hosts eg. cdn.jsdelivr.net
 function addSecurityHeaders(response) {
   if (response.type === "opaque") return response;
   const headers = new Headers(response.headers);

webpack.config.js

@@ -240,11 +240,16 @@ const mainConfig = {
           to: "",
           transform: (content, filePath) => {
             if (!filePath.endsWith("service-worker.js")) return content;
-            const version = process.env.npm_package_version;
+            const version =
+              process.env.npm_package_version ??
+              require("./package.json").version;
             return content
               .toString()
               .replace("editor-app-v1", `editor-app-v${version}`)
-              .replace("editor-translations-v1", `editor-translations-v${version}`);
+              .replace(
+                "editor-translations-v1",
+                `editor-translations-v${version}`,
+              );
           },
         },
         { from: "src/projects", to: "projects" },