Fix(csp): remove unsafe-eval requirement for Vue3 production builds

[ildyria]

Fixes #3764

• Switch from full Vue build (with compiler) to runtime-only build
• Runtime-only build doesn't require unsafe-eval CSP directive
• Update app initialization to pass root component to createApp()
• Explicitly disable unsafe-eval in DisableCSP middleware for production
• Development mode (with hot reload) continues to disable CSP entirely

The full Vue build includes template compiler which uses new Function() internally, requiring unsafe-eval. Since we use pre-compiled .vue SFCs, the runtime-only build is sufficient and more secure.

Summary by CodeRabbit

• Bug Fixes

  • Improved Content Security Policy by removing unsafe-eval relaxation.

• Refactor

  • Updated Vue app initialization with AppComponent as root.
  • Removed global component registration of AppComponent.
  • Updated Vue build configuration to use runtime build variant.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bac29600-e663-4aee-8159-021019089864

📥 Commits

Reviewing files that changed from the base of the PR and between 57c748f and f6a1212.

📒 Files selected for processing (4)

• app/Http/Middleware/DisableCSP.php
• resources/js/app.ts
• vite.config.ts
• vite.embed.config.ts

💤 Files with no reviewable changes (1)

• app/Http/Middleware/DisableCSP.php

---

📝 Walkthrough

Walkthrough

The PR updates Vue build configuration from the full ESM bundler to the runtime-only variant, restructures Vue app initialization to use AppComponent as the root directly, and removes CSP unsafe-eval relaxation from the middleware.

Changes

Cohort / File(s)	Summary
Vue Build Configuration vite.config.ts, vite.embed.config.ts	Updated Vue alias from vue/dist/vue.esm-bundler.js to vue/dist/vue.runtime.esm-bundler.js, switching to the runtime-only build variant for bundling.
Vue App Initialization resources/js/app.ts	Changed root app creation from createApp({}) to createApp(AppComponent) and removed global component registration of AppComponent.
CSP Middleware app/Http/Middleware/DisableCSP.php	Removed CSP unsafe-eval relaxation configuration for VueJS, eliminating lines that previously enabled secure-headers.csp.script-src.unsafe-eval.
Package Dependencies package.json	Minor dependency version update with one addition and two removals.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A runtime bundle hops into place,
CSP tightens with newfound grace,
AppComponent takes the spotlight's crown,
No more unsafe scripts weigh us down!
Vue optimized, sleek and lean—
The fastest build we've ever seen! ✨

🚥 Pre-merge checks | ✅ 1

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}