Using `new Function` violates common security practice

[nhusher]

This library uses new Function, which is equivalent to the eval function. Under common sense security regimes, both new Function and eval are disallowed, including in the browser using CSP.

[mourner]

If you're under CSP restrictions, don't use the format option. You can either use the default format, or override compareMinX, compareMinY and toBBox methods to support a custom format without eval.

[photonstorm]

@nhusher if you're interested, we have our own version of rbush here that we slightly modified to get around the CSP limitation, while still retaining the speed of that function.

[mourner]

@photonstorm any reason you decided to fork the library instead of just overriding the methods above? I think switching back to a direct dependency would be beneficial — you would get any potential bugfixes and performance improvements from upstream.

function customRBush(maxEntries) {
    var tree = rbush(maxEntries);
    tree.compareMinX = compareMinX;
    tree.compareMinY = compareMinY;
    tree.toBBox = toBBox;
    return tree;
}
function compareMinX(a, b) { return a.left - b.left; }
function compareMinY(a, b) { return a.top - b.top; }
function toBBox(a) {
    return {
        minX: a.left,
        minY: a.top,
        maxX: a.right,
        maxY: a.bottom
    };
}

[photonstorm]

@mourner The main reason is because we needed a different way of requiring QuickSelect. You only release new versions once a year (if that) and they're generally really small updates, so it's trivial to manage from our end. If you were in a rapid development cycle then we'd do it differently, but I'm quite glad it's nice and stable and rarely changing.

[mourner]

Note that RBush v3.0 eliminates eval and is fully CSP-compliant. See #93