[sudodevnull]

That's the nature of anything that does this kind of work. React, Svelte, Solid. Alpine has a CSP version but it does so little that I recommend you just accept being a Web1 MPA basic site.

I have ideas around ways around this but it's a per language template middleware.

[jazoom]

Alpine CSP version works fine. You just can't write JS code in strings, which one may wish to avoid anyway.

I also didn't have a problem with CSP and HTMX.

Nor with SvelteKit.

I'm not sure why you think these are all equivalent to DataStar's hard requirement on unsafe-eval.

FYI, this is the reason I didn't try out DataStar.

[pie_flavor]

Svelte only requires a CSP hole in its default config as a standalone library; SvelteKit does proper CSP by default, and if you're not using SvelteKit you can build CSP handling into whatever you are using instead. I assume the others are the same way.

[tauroid]

Could you avoid eval by having a CSP mode that forces reactive expressions to only allow functions users have registered with datastar in a lookup table?

[dpc_01234]

Is there anything I could read detailed explanation of issue, in particular w.r.t datastar?