Browser bundle includes an eval pattern, triggering some static analysis

[dimovpetar]

Hello,

There are some usages of Function in the lodash package, which requires unsafe-eval to be used. In the built version https://github.com/jshint/jshint/blob/master/dist/jshint.js you can find Function('return this')(); and Function(importsKeys, sourceURL + 'return ' + source). The second one is not used at all.
This makes usage of JSHint impossible in restricted environments, where only script-src: self is set. Any chance to remove them?
More information about Unsafe eval expessions.

[jugglinmike]

Thanks for taking the time to file an issue! Lodash is expected to load "just fine" in a CSP-restricted environment. Judging from that library's source code, it seems as though an error will only be encountered if the binding named self is not defined globally. Is that the case for you?

[dimovpetar]

Hello! The problem is that scan tools report such usages, even if not used. The issue you have referenced is from 2014, and back then this code wasn't part of root.js. I've found that this is already addressed with lodash/lodash#4985 and globalThis is suggested.
For the other occurence of eval, which is in lodash.template - since you are not using this function, is it possible to prune it from your bundle? It will also decrease the total size.

[jugglinmike]

Got it. I've updated the title of this issue since there aren't any known Content-Security Policy violations.

A sufficiently advanced build process would likely infer that JSHint doesn't use the offending code and omit it from the final product. Unfortunately, this project's build system is not up to the task right now. I'll gladly review patches to modernize it!