Add post-compiler for CSP-safe version.

[RReverser]

Ported from https://github.com/RReverser/acorn-csp.
Fixes #90.
Fixes #123.

@marijnh Added as per request. Please note that I've added precompiled version of current acorn.js, but for further compilations this still requires hook on your side (probably in the same place where you call update_authors.sh).

[marijnh]

I don't want to have the generated file in the git repository, and I also don't want to incur unneeded dependencies. See commit 91911bc for an alternative implementation.

The downside of that is that people won't be able to simply include the file, since they have to build it themselves first. Would it be appropriate to do this as an npm install step?

[marijnh]

Actually, it seems npm's "prepublish" step would be perfect for this. I'll follow up with another patch later.

[RReverser]

recast-based version generates file closer to an original one, that's why I liked it more - code remains as readable as in acorn.js.

[RReverser]

Oh, you're doing regex replaces... don't really like that approach for any source code modifications.

[marijnh]

I'm doing a single, relatively robust regexp replace to extract the resulting predicate functions. The actual result replacements are done using the offset information in the AST.

[RReverser]

Ok, whatever. Glad that you've found dependency-free solution, just sorry that mine resulted in waste of time :/

[RReverser]

The downside of that is that people won't be able to simply include the file, since they have to build it themselves first. Would it be appropriate to do this as an npm install step?

I don't think that npm command might be that useful for those who wants CSP version (since it's intended to be used in browser). Would be better to still have ready-to-use version that is as easy to download as acorn.js itself.

[marijnh]

The easiest way to get Acorn is from npm. The new release (0.8.0) has, through the "prepublish" directive, an acorn_csp.js file in the npm package. That seems sufficient to me.

[RReverser]

It's easiest for npm users. Most browser users still simply download acorn.js from repo as-is, without need for installing acorn somewhere and executing prepublish script.

[getify]

It seems pretty unlikely that "most browser users" (as you put it), who ostensibly aren't doing any sort of back-end node stuff if they don't use npm, would be doing things like running a custom JS parser in a web worker. That's a pretty highly specialized task so the subset of those who would do that but who wouldn't do node/npm has got to be pretty small if not empty.

[saambarati]

What's the reason for not making the acorn.js file CSP safe?

[RReverser]

@getify It's not about impossibility to achieve result but about convenience. I don't see any particular reason for not putting both files into the repo with hook, while I do see benefit for this. With the same success, users could still use external wrapper or builder that was provided before.

[RReverser]

@saambarati Makes file significantly bigger with no benefit for 90% of cases.

[saambarati]

@RReverser how much bigger?