Update text component to fix unsafe-eval error with a strict CSP

[vincentfretin]

Update three-bmfont-text version to include dmarcos/three-bmfont-text#5 to avoid using "new Function()" that triggers unsafe-eval error with a strict CSP (Content Security Policy), see #5028 for context.
Add a unsafe-eval error non regression test that runs in CI with Chrome and Firefox.

[vincentfretin]

Test is failing as expected until the other PR is merged and this PR is rebased

SUMMARY:
✔ 1163 tests completed
ℹ 17 tests skipped
✖ 1 test failed

FAILED TESTS:
  text component CSP
    ✖ loading the A-Frame bundle does not require unsafe-eval
      Chrome 148.0.0.0 (Linux x86_64)
    Error: Loading the A-Frame bundle triggered a CSP unsafe-eval violation: script-src eval. The text component dependency three-bmfont-text must not use eval() / new Function().
        at check (build/commons.js:250863:21)

[mrxz]

Small nitpick: the test explicitly mentions the text component (in its name and failure messages), but the tested condition that there are no CSP violation when loading the A-Frame bundle is generic. Ultimately it doesn't matter where/how an eval/new Function gets pulled in, this test will catch that regression.

[vincentfretin]

You're absolutely right.
I moved tests/components/text-csp.test.js to tests/csp/no-unsafe-eval.test.js and the error now says:
Error: Loading the A-Frame bundle triggered a CSP unsafe-eval violation: script-src eval. The bundle (or one of its dependencies) must not use eval() / new Function()

[vincentfretin]

Locally the test is green, but in CI it's failing.
I reproduce it locally with
TEST_ENV=ci npm run test:chrome

The in-memory commons.js is istanbul-instrumented under TEST_ENV=ci, and istanbul injects a new Function("return this")() (its global-object lookup) into every instrumented src/ module.

I'll write the test in another way.

[vincentfretin]

The test pass on Chrome and Firefox. I updated the PR title and description.

[dmarcos]

Thank you!