Is there any possible way the use of 'eval' could be removed from the library? (I realise this might be quite an integral part)

We are having issues with it triggering security warnings around - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

Apparently as part of tightening security using CSP headers eval() is increasingly non-viable.

We're having issues too. Replacing the whole _globals section with window.doT = doT; gets past the first hurdle, but after that, the rest of the code is heavily based on new Function which is eval() in disguise.

We have also ran into this issue with an NPM module due to doT being used as a transient dependency. Using eval is a definite code smell/bad pattern from a security perspective. Is this project under active maintenance anymore? This seems to be a rather contentious issue to ignore.

I had set the Content-Security-Policy to
"script-src 'self' 'unsafe-eval' 'unsafe-inline'; object-src 'self'"
fix the error

The solution is to either allow eval (as above) or better to precompile templates as part of build step and deploy functions.