Incompatible with content-security-policy without unsafe-eval

[fzembow]

Hi! Thanks for maintaining this - I've been using both at work and for personal projects. Great to be able to quickly put together useful graphs.

Recently, I'm using this in an Electron app, which by default has a strict content security policy, blocking eval unless unsafe-eval is explicitly specified, which I wouldn't want to enable for security reasons.

Unfortunately, this line violates the policy, since the Function() constructor is effectively eval.

const globalNS: any = new Function("return this;")();

---

Perhaps we could use globalThis to get a reference to the global object, no matter the environment, which has decent browser support at this point (aside from IE)? WASM doesn't work in IE11 anyways so we wouldn't be losing much. Not sure if there is much node usage of this module but globalThis was introduced in node 12. The previous node release, 10, is being end-of-lifed on 2021-04-30.

---

Let me know and I could make a PR for it!

[GordonSmith]

FYI the graphviz team are planning a 2.47.0 release on Monday so I can release this fix in tandem with that?

[fzembow]

Oh that would be perfect - no rush on my end :)

Have a pleasant weekend!