Update to version 0.5.2 of js-compute-runtime

This version of js-compute-runtime includes  a security fix for the `crypto.getRandomValues` method to ensure it always uses sufficiently random values. The previous version when compiled to WebAssembly, would use the same seed value for each execution of the WebAssembly module, meaning the sequence of numbers generated was predictable for a specific WebAssembly module. The new version uses a different seed value for each execution.

Author: Jake Champion

sdk/js-compute/CHANGELOG.md

@@ -1,19 +1,37 @@
-## 0.5.2
+## 0.5.3 (2022-09-16)
 
-### Fixes
+### Security Fixes
+
+* [CVE-2022-39218](https://github.com/fastly/js-compute-runtime/security/advisories/GHSA-cmr8-5w4c-44v8): 
+  Fixed `Math.random` and `crypto.getRandomValues` methods to always use sufficiently random values. The previous versions would use a PRNG (pseudorandom number generator) which we would seed with a random value however due to our use of [Wizer](https://github.com/bytecodealliance/wizer), the initial value to seed the PRNG was baked-in to the final WebAssembly module meaning the sequence of numbers generated was predictable for that specific WebAssembly module. The new implementations of both `Math.random` and `crypto.getRandomValues` do not use a PRNG and instead pull random values from WASI (WebAssembly System Interface) libc’s `random_get` function, which is always a sufficiently random value.
+  
+  An attacker with access to the same WebAssembly module that calls the affected methods could use the fixed seed to predict random numbers generated by these functions. This information could be used to bypass cryptographic security controls, for example to disclose sensitive data encrypted by functions that use these generators.
+
+  Developers should update affected modules after applying this patch. Any secrets generated using affected versions should be rotated. Any sensitive ciphertext generated using affected versions should be considered unsafe, e.g. and be deleted or re-generated.
+  
+### Fixed
+
+- Updated the Typescript definitions for the `console` methods to indicate that they now accept any number of objects. ([#258](https://github.com/fastly/js-compute-runtime/pull/258))
+
+- Store the Object-Store key string into a native object to avoid it becoming garbage collected before being used within `ObjectStore.prototype.get` or `ObjectStore.prototype.put` (([381242](https://github.com/fastly/js-compute-runtime/commit/3812425a955e52c2fd7229e762ef3e691cb78745))
+
+
+## 0.5.2 (2022-09-02)
+
+### Fixed
 
 - Explicitly declare void as the return type for functions which return nothing - this allows our package to work with typescript's `strict:true` option ([#253](https://github.com/fastly/js-compute-runtime/pull/253))
 
-- Declare ambient types for our npm package instead of exports as we do not yet export anythink from the package ([#252](https://github.com/fastly/js-compute-runtime/pull/252))
+- Declare ambient types for our npm package instead of exports as we do not yet export anything from the package ([#252](https://github.com/fastly/js-compute-runtime/pull/252))
 
 
-## 0.5.1
+## 0.5.1 (2022-08-31)
 
-### Fixes
+### Fixed
 
 - Removed `type: "module"` from the @fastly/js-compute package.json file as the package still uses `require`
 
-## 0.5.0
+## 0.5.0 (2022-08-30)
 
 ### Features
 
@@ -79,36 +97,41 @@ console.log(request); // outputs `Request: {method: POST, url: https://www.fastl
 ```
 
 
-### Summary
+### Added
 
 * Implemented ObjectStore and ObjectStoreEntry classes for interacting with Fastly ObjectStore ([#110](https://github.com/fastly/js-compute-runtime/issues/110))
-* Improved console output for all types ([#204](https://github.com/fastly/js-compute-runtime/issues/204))
 * add btoa and atob native implementations ([#227](https://github.com/fastly/js-compute-runtime/issues/227)) ([8b8c31f](https://github.com/fastly/js-compute-runtime/commit/8b8c31fa9ad70337b1060a3242b8e3495ae47df3))
 
+### Changed
+
+* Improved console output for all types ([#204](https://github.com/fastly/js-compute-runtime/issues/204))
 
-## 0.4.0
+## 0.4.0 (2022-07-28)
 
-### Enhancements
+### Added
 
 - Implement the DecompressionStream builtin [`#160`](https://github.com/fastly/js-compute-runtime/pull/160)
 - Improve performace of Regular Expression literals via precompilation [`#146`](https://github.com/fastly/js-compute-runtime/pull/146)
 
-### Fixes
+### Fixed
 
 - Calling `tee` on the client request no longer causes the application to hang [`#156`](https://github.com/fastly/js-compute-runtime/pull/156)
 
 ## 0.3.0 (2022-06-29)
 
-### Enhancements
+### Added
 
 - Implement the CompressionStream builtin
   [#84](https://github.com/fastly/js-compute-runtime/pull/84)
+
+### Changed
+
 - Removed the requirement for a fastly.toml file to be present when using js-compute-runtimes CLI to compile a WASM file
 - **Breaking change:** Removed --skip-pkg argument from js-compute-runtime's CLI
   [#108](https://github.com/fastly/js-compute-runtime/pull/108)
 - **Breaking change:** Removed `console.trace` method
 
-### Fixes
+### Fixed
 
 - Fix the response error message text
 - Throw an error if constructors are called as plain functions

sdk/js-compute/package-lock.json

@@ -1,7 +1,7 @@
 {
   "name": "@fastly/js-compute",
-  "version": "0.5.2",
-  "js-compute-runtime-version": "0.5.0",
+  "version": "0.5.3",
+  "js-compute-runtime-version": "0.5.2",
   "engines": {
     "node": "^16 || ^18"
   },
@@ -39,4 +39,4 @@
   "dependencies": {
     "typedoc-loopingz-theme": "^1.1.3"
   }
-}
+}