Upgrade wasmtime to v43#901
Open
zoosky wants to merge 1 commit into
Open
Conversation
v43.0.1 patches the 2026-04-09 security advisory cluster which includes 41.0.4 in the affected range, including two critical sandbox-escape advisories (GHSA-jhxm-h53p-jm7w on aarch64 Cranelift, GHSA-xx5w-cvp6-jv83 on Winch). The 41.x line has no patch release for these. v42 introduced its own wasmtime::Error/Result types instead of re-exporting anyhow. The runtime keeps anyhow::Error as the public SDK error type and converts at the wasmtime boundary using ToWasmtimeResult and the From<wasmtime::Error> for anyhow::Error impl that v43 fixed for downcasts (PR #12689 upstream), preserving the existing Trap / I32Exit / WasmCoreDump downcast patterns. - wasmtime / wasi-common / wiggle: 41 -> 43 - rust-toolchain: 1.90.0 -> 1.91.0 (wasmtime 43 MSRV) - Wrap pdk and import host functions with .to_wasmtime_result() - ResourceLimiter and catch_out_of_fuel now produce wasmtime::Error - Drop deprecated Config::async_support(false) (no-op in v42+) Release notes: - v42: https://github.com/bytecodealliance/wasmtime/releases/tag/v42.0.0 - v43: https://github.com/bytecodealliance/wasmtime/releases/tag/v43.0.0
Member
|
Thank you! I will get this reviewed this week |
This was referenced May 7, 2026
lacion
added a commit
to pixhaus-app/pixhaus
that referenced
this pull request
May 8, 2026
…114) Tauri 2.11.0 had an origin-confusion issue (medium) where remote pages could invoke local-only IPC commands. The 2.11.1 release patches the origin check in the IPC entry point. Caret range in app/Cargo.toml already permits 2.11.1, so this is a lockfile-only update; tauri-build, tauri-codegen, tauri-macros, tauri-runtime, tauri-runtime-wry, and tauri-utils ride along with their matching companion bumps. Closes Dependabot alert #5 (GHSA-7gmj-67g7-phm9). The remaining 12 open alerts on wasmtime are blocked upstream on extism/extism#901 (extism 1.21.0 pins wasmtime ^41 and the 2026-04 advisory cluster only has fixes in 42.0.2 / 43.0.2). Tracked separately - cargo's resolver rejects a [patch.crates-io] override across major versions, so we cannot resolve them without forking extism. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
v43.0.1 patches the 2026-04-09 security advisory cluster which
includes 41.0.4 in the affected range. Two of these are critical sandbox
escapes:
The 41.x line has no patch release for these advisories; the patched lines are
24 (LTS), 36 (LTS), 42 (42.0.2), and 43 (43.0.1).
Why v43 instead of v42 or v44
wasmtime::Errorintoanyhow::Errorand usingdowncast(upstream#12689) — the runtime relies on this for the
Trap,I32Exit,and
WasmCoreDumpdowncasts inplugin.rs.Breaking change handled
v42 stopped re-exporting
anyhow::Errorand introducedwasmtime::Error/wasmtime::Result. The runtime still exposesanyhow::Erroras the publicSDK error type; conversion happens at the wasmtime boundary via
ToWasmtimeResultand theFrom<wasmtime::Error> for anyhow::Errorimpl.Changes
wasmtime/wasi-common/wiggle: 41 → 43rust-toolchain.toml: 1.90.0 → 1.91.0.to_wasmtime_result()so theclosures match the new
Linker::func_newsignature.ResourceLimiterimpl andcatch_out_of_fuel!macro producewasmtime::Error.Config::async_support(false)(a no-op since v42).Verification
cargo build --release -p libextism✓cargo build --release --benches -p extism✓cargo fmt --check✓cargo clippy --all --release --all-features --no-deps -- -D "clippy::all"✓cargo test --release/--all-features/--no-default-features— 43/44 pass.tests::runtime::test_disable_cacheis a pre-existing timing-based flake(passes in isolation, fails under parallel test load); confirmed to also fail
on
mainbefore this change.Release notes: v42, v43
Fixes #898