fix: update wasm-bindgen to 0.2.109 for CSP compatibility

[sawa-zen]

Summary

Update wasm-bindgen from 0.2.100 to 0.2.109 in the Cargo.toml template to remove the new Function() fallback that requires 'unsafe-eval' in CSP.

Problem

The current JS glue code generated by wasm-bindgen 0.2.100 includes:

imports.wbg.__wbg_newnoargs = function(arg0, arg1) {
    const ret = new Function(getStringFromWasm0(arg0, arg1));
    return addHeapObject(ret);
};

This forces applications to allow 'unsafe-eval' in their Content-Security-Policy script-src directive, which is a significant security downgrade — it permits arbitrary eval() and new Function() calls.

Solution

wasm-bindgen 0.2.109 (PR #4910) removed the new Function("return this") fallback entirely in favor of globalThis, which is supported in all modern browsers.

This is a one-line change to builds/prepare_builds/templates/Cargo.toml.tera. After rebuilding, applications can use the much safer 'wasm-unsafe-eval' (which only permits WebAssembly compilation) instead of 'unsafe-eval'.

Notes

• Only the template is changed. Cargo.lock will be updated automatically during the next wasm-pack build.
• globalThis browser support: Chrome 71+, Firefox 65+, Safari 12.1+ (caniuse)

Closes #366

[sawa-zen]

Hi @sebcrozet, friendly bump on this PR. 🙂

This is a minimal one-line change (bumping wasm-bindgen from 0.2.100 → 0.2.109) that lets downstream users drop 'unsafe-eval' from their CSP in favor of the much safer 'wasm-unsafe-eval'. It would be great to get this into the next release.

Happy to address any feedback if needed. Thanks for maintaining Rapier!