csp-header package is not treeshakable.

[alexandersorokin]

I'm using the csp-header package in a browser environment to dynamically build Content Security Policies, which are then included in child iframes via meta tags.

Currently, the package only provides an CommonJS version, which prevents Vite and Rollup from tree-shaking unused code. This results in unnecessary constants being included in the final bundle.

Would you consider:

1. Adding native ESM support (e.g., through .mjs files)?
2. Or providing a dual CJS/ESM build (for example via the exports field or the module field in package.json)?