I'm testing out this module in a browser extension and get a CSP error because of the Function constructor used in the fragmentPath method here (trips the 'unsafe-eval' source expression for the 'script-src' directive; more info). This prevents me from using the module as-is with my extension's CSP.

In my testing, I was able to just replace that Function constructor:

var getter = new Function("fragments", "return fragments." + path.replace(/\./g, FRAGMENT_SEPERATOR));

with this:

var obj = fragments[path.replace(/\./g, FRAGMENT_SEPERATOR)];

Without issue.

Is this a change that would be considered for the module? Or am I missing something that requires the current usage?

Thanks!