webpack-dev-server v5 seems to require 'unsafe-eval' in CSP

[G-Rath]

I'm opening this as a discussion first to get input as this could either be a bug or documentation issue with webpack-dev-server.

In a nutshell I've updated a Rails application generated using this template which defines a CSP and includes some extras for webpack-dev-server; after upgrading to v5 however, I'm now getting an error about eval'd JS:

Apparently this is happening here:

Which is from node_modules/webpack-dev-server/client/modules/logger/index.js.

---

I've had a look around and can't find anything indicating what has actually changed in v5 to cause this (my assumption is maybe a different build config, but could be something else, and this might just be the first of a number of these calls 🤷), but ideally it would be good if we could somehow avoid having to change the CSP since we want it to match as closely to production as possible for debugging and in particular enabling 'unsafe-eval' is a big one (I have tried looking into using a nonce here, but couldn't get webpack to do so?)

I'm happy to help out with this, but need some pointers from the webpack team to continue :)

[alexander-akait]

Yes, I see, let's fix it, I will see today