The library has issues with CSP

[akkie]

The library uses a new Function construct, which violates the script-src CSP rule.

Please see: https://developer.chrome.com/extensions/contentSecurityPolicy#relaxing-eval

Evaluated JavaScript
The policy against eval() and its relatives like setTimeout(String), setInterval(String), and new Function(String) can be relaxed by adding 'unsafe-eval' to your policy:

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
However, we strongly recommend against doing this. These functions are notorious XSS attack vectors.

Maybe this helps to fix this issue: http://dfkaye.github.io/2014/03/14/javascript-eval-and-function-constructor/

[eemeli]

Make-plural uses new Function because, well, that's what it does. As described in the very first sentence of the description, "Make-plural is a JavaScript module that translates Unicode CLDR pluralization rules to JavaScript functions." In order to generate said functions, we need to do exactly that.

If you're concerned about compiling the JS functions in your live code, you should consider using the pre-compiled pluralisation functions also provided by make-plural. In addition to the default UMD module, these are available as an ES6 module with:

import plurals from 'make-plural/es6/plurals'
plurals.en(3, true) === 'some'

Alternatively, if you need to use separately defined CLDR data, it would probably make sense for you to compile (and possibly filter) the corresponding functions in your own compile phase, rather than doing so at runtime.