feat: CSP-compatible build

[guybedford]

Resolves #167 in providing a fully CSP compatible build of ES module shims that supports using nonces for all executions.

One big issue here is that all Wasm execution requires CSP unsafe-eval (which is very unfortunate). The approach taken was to reinstate the JS build of es-module-lexer, which has comparable runtime performance, but with a slower cold start due to the extra work required of the V8 compiler.

• Updates to es-module-lexer@0.8.0 that supports dual JS + Wasm builds.
• Creates a separate CSP build that uses the JS es-module-lexer build.
• Updates the internal top-level execution function to use script injection over dynamic import (dynamic import would otherwise hit the CSP block rule when executing blob URLs)
• Reads the nonce from the existing script tags on the page, or uses the new nonce initialization option.
• Supports a new <script type="esms-options"> tag with inline JSON for configuration, avoiding the need for inline script (ie another nonce).

While there is a definite performance penalty for this approach, it shouldn't turn out to be noticeable for applications that are willing to take that hit in order to rather have the CSP security. By having two builds, users have the option of deciding which is best, and the features supported are equivalent between both builds.