Plotly version issue / disable all networking with CSP ?

[unfailingsalvage1448]

Hi all,
I'm developing a desktop app with plotly that is supposed to run fully offline and not try to connect to any external resources.

There seems to be a bug with plotly so it grabs a maplibre related css file from unpkg (plotly/plotly.js#7139).

I tried to downgrade to various versions of plotly <5.24.0 before the switch from mapbox to maplibre (plotly/plotly.js#5578) was made by putting it in my package.json stlite dependencies with "plotly==5.20.0". Upgrading to plotly 6.0.0rc0 also did not work.

But after rebuilding the app by deleting the dist, build, node_modules folders, I still see it trying to connecct to unpkg in the dev tools network monitor. When running "npm run dump", I see "'plotly', 'plotly-5.20.0.data', 'plotly-5.20.0.dist-info'" in "site packages". Since the first plotly packages does not have a version assigned, I'm wondering if that is why the downgrade does not seem to be working. Maybe it grabs a more recent version? Or is plotly a special case, because I see pyodide grabbing all other wheels except plotly?

I guess now my question is, am I incorrectly downgrading the version? Is there maybe some way to block these requests to unpkg, because my app still works without them.

Is there a way to disable all network access with CSP, like referenced here #744? Can I do that as a stlite user, maybe by defining CSPs via the package.json file?