Use pixi.js/unsafe-eval polyfills to remove unsafe-eval CSP requirement

[Copilot]

Rapid requires unsafe-eval in the Content Security Policy because pixi.js v8 uses new Function() for dynamic code generation (uniform syncing, shader syncing, UBO sync, particle updates). iD does not have this requirement.

Change

pixi.js 8.x ships a pixi.js/unsafe-eval submodule that monkey-patches the relevant prototype methods with static polyfill equivalents, eliminating the new Function() calls entirely.

Import it at the top of GraphicsSystem.js before pixi.js initializes:

import 'pixi.js/unsafe-eval';
import * as PIXI from 'pixi.js';

This installs polyfills for:

• GlUniformGroupSystem._generateUniformsSync
• GlUboSystem._generateUboSync / GpuUboSystem._generateUboSync
• GlShaderSystem._generateShaderSync
• ParticleBuffer.generateParticleUpdate

Rapid now works under a strict script-src 'self' CSP with no unsafe-eval allowance.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Current environment does not allow unsafe-eval, please use pixi.js/unsafe-eval module to enable support.</issue_title>
<issue_description>### Description

Rapid requires an 'unsafe-eval' CSP flag, whereas iD does not. I don't believe it is necessary to require unsafe evaluations, and thus I consider this a bug.

Screenshots

No response

Version

2.5.2

What browser are you seeing the problem on? What version are you running?

Chrome v137

The OS you're using

No response

Steps to reproduce

Set the following response header:

content-security-policy: script-src 'self'

The browser URL at the time you encountered the bug

Unavailable

The auto-detected useragent string for your browser (leave blank if you're manually filling this form out)

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Current environment does not allow unsafe-eval, please use pixi.js/unsafe-eval module to enable support. #1718

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[brad-richardson]

It seems like the package lock change is unnecessary given no package.json change, but otherwise looks fine

[Copilot]

Pull request overview

This PR aims to remove Rapid’s need for script-src 'unsafe-eval' by enabling PixiJS v8’s pixi.js/unsafe-eval polyfills, which avoid new Function() at runtime and should allow running under a strict CSP.

Changes:

• Add a side-effect import of pixi.js/unsafe-eval before importing pixi.js in GraphicsSystem.js.
• Update package-lock.json (introducing additional platform-specific optional dependency entries).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
modules/core/GraphicsSystem.js	Adds the Pixi unsafe-eval polyfill import intended to remove the CSP unsafe-eval requirement.
package-lock.json	Lockfile updated with additional optional/platform packages (notably esbuild/resvg variants).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

pixi.js/unsafe-eval needs to be loaded before Pixi generates any new Function()-based sync functions. In this codebase, several modules import from pixi.js (e.g. modules/core/AbstractSystem.js, modules/Context.js) before GraphicsSystem.js is reached, so this import may not reliably run first. Consider moving the side-effect import to the earliest application entry module (or a dedicated Pixi bootstrap module that all Pixi imports depend on) to guarantee it executes before any pixi.js import/evaluation.