Skip to content

chore(deps): bump the wasmtime-deps group with 2 updates#1078

Closed
dependabot[bot] wants to merge 4 commits intomainfrom
dependabot/cargo/wasmtime-deps-aeb114a927
Closed

chore(deps): bump the wasmtime-deps group with 2 updates#1078
dependabot[bot] wants to merge 4 commits intomainfrom
dependabot/cargo/wasmtime-deps-aeb114a927

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 2, 2026
edited
Loading

Bumps the wasmtime-deps group with 2 updates: wasmtime and wasmtime-wasi.

Updates wasmtime from 36.0.6 to 38.0.4

Release notes

Sourced from wasmtime's releases.

v38.0.4

38.0.4

Released 2025-11-11.

Fixed

v38.0.3

38.0.3

Released 2025-10-24.

Fixed

  • Fix possible host crash with host-to-wasm component intrinsics CVE-2025-62711

v38.0.1

38.0.1

Released 2025-10-20.

Fixed

  • Fixed some automation that went wrong with the 38.0.0 release.

v37.0.3

37.0.3

Released 2025-11-11.

Fixed

v37.0.2

37.0.2

Released 2025-10-07.

Fixed

  • Fix a memory leak in the C API when using anyref or externref. CVE-2025-61670.

v37.0.1

... (truncated)

Changelog

Sourced from wasmtime's changelog.

38.0.4

Released 2025-11-11.

Fixed

38.0.3

Released 2025-10-24.

Fixed

  • Fix possible host crash with host-to-wasm component intrinsics CVE-2025-62711

38.0.2

Released 2025-10-21.

Changed

  • This repository is attempting to start out using GitHub's "Immutable Releases" feature with this release, and this'll be the first release, assuming all goes well, that has this enabled. #11901

Fixed

  • Fix compatibility with the Go runtime on Windows for exceptions. #11892

38.0.1

Released 2025-10-20.

Fixed

  • Fixed some automation that went wrong with the 38.0.0 release.

... (truncated)

Commits

Updates wasmtime-wasi from 36.0.6 to 38.0.4

Release notes

Sourced from wasmtime-wasi's releases.

v38.0.4

38.0.4

Released 2025-11-11.

Fixed

v38.0.3

38.0.3

Released 2025-10-24.

Fixed

  • Fix possible host crash with host-to-wasm component intrinsics CVE-2025-62711

v38.0.1

38.0.1

Released 2025-10-20.

Fixed

  • Fixed some automation that went wrong with the 38.0.0 release.

v37.0.3

37.0.3

Released 2025-11-11.

Fixed

v37.0.2

37.0.2

Released 2025-10-07.

Fixed

  • Fix a memory leak in the C API when using anyref or externref. CVE-2025-61670.

v37.0.1

... (truncated)

Changelog

Sourced from wasmtime-wasi's changelog.

38.0.4

Released 2025-11-11.

Fixed

38.0.3

Released 2025-10-24.

Fixed

  • Fix possible host crash with host-to-wasm component intrinsics CVE-2025-62711

38.0.2

Released 2025-10-21.

Changed

  • This repository is attempting to start out using GitHub's "Immutable Releases" feature with this release, and this'll be the first release, assuming all goes well, that has this enabled. #11901

Fixed

  • Fix compatibility with the Go runtime on Windows for exceptions. #11892

38.0.1

Released 2025-10-20.

Fixed

  • Fixed some automation that went wrong with the 38.0.0 release.

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the wasmtime-deps group with 2 updates
8fdfe2b 
Bumps the wasmtime-deps group with 2 updates: [wasmtime](https://github.com/bytecodealliance/wasmtime) and [wasmtime-wasi](https://github.com/bytecodealliance/wasmtime).


Updates `wasmtime` from 36.0.6 to 38.0.4
- [Release notes](https://github.com/bytecodealliance/wasmtime/releases)
- [Changelog](https://github.com/bytecodealliance/wasmtime/blob/v38.0.4/RELEASES.md)
- [Commits](bytecodealliance/wasmtime@v36.0.6...v38.0.4)

Updates `wasmtime-wasi` from 36.0.6 to 38.0.4
- [Release notes](https://github.com/bytecodealliance/wasmtime/releases)
- [Changelog](https://github.com/bytecodealliance/wasmtime/blob/v38.0.4/RELEASES.md)
- [Commits](bytecodealliance/wasmtime@v36.0.6...v38.0.4)

---
updated-dependencies:
- dependency-name: wasmtime
  dependency-version: 38.0.4
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: wasmtime-deps
- dependency-name: wasmtime-wasi
  dependency-version: 38.0.4
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: wasmtime-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file rust Pull requests that update Rust code labels Mar 2, 2026
Mossaka and others added 2 commits March 25, 2026 23:04
@Mossaka @claude
fix: bump wasmtime-wasi-http to 38.0.4 and rust toolchain to 1.88.0
1142dde 
wasmtime 38.0.4 depends on cranelift 0.125.4 which requires rustc 1.88.0.
Also bump wasmtime-wasi-http from 36.0.6 to 38.0.4 to avoid version
conflicts, and update preview1 -> p1 import per wasmtime API changes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Mossaka @claude
fix: resolve clippy warnings for rustc 1.88.0
81124db 
Fix uninlined_format_args warnings triggered by the newer clippy in
Rust 1.88.0 across the workspace.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Mossaka @claude
fix: correct import ordering for rustfmt compliance
82274d3 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Mossaka
Copy link
Copy Markdown
Member

Mossaka commented Mar 25, 2026

Closing this PR because wasmtime 38.0.4 has multiple known security vulnerabilities with no fix available in the 38.x release series:

  • GHSA-vc8c-j3xm-xj73 (moderate): Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64 — fixed in 36.0.5, 40.0.3, 41.0.1 (but NOT in any 37.x-39.x release)
  • GHSA-852m-cvvp-9p4w (moderate): Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion — fixed in 36.0.6, 40.0.4, 42.0.0 (but NOT in any 37.x-39.x release)
  • GHSA-243v-98vx-264h (moderate): Wasmtime can panic when adding excessive fields to a wasi:http/types.fields instance — fixed in 36.0.6, 40.0.4, 42.0.0 (but NOT in any 37.x-39.x release)

The current version (36.0.6) already has all these security fixes. Upgrading to 38.0.4 would regress on security. The dependency-review CI check correctly blocks this.

The next safe upgrade target would be wasmtime 40.0.4+ or 41.0.4+ or 42.0.0+, which include patches for all three advisories. Additionally, wasmtime 38.0.4 requires bumping the Rust toolchain from 1.86.0 to 1.88.0 and includes breaking API changes (wasmtime_wasi::preview1 renamed to wasmtime_wasi::p1).

A future dependabot PR bumping to wasmtime >= 40.0.4 would be the appropriate upgrade path.

@Mossaka Mossaka closed this Mar 25, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Mar 25, 2026

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot bot deleted the dependabot/cargo/wasmtime-deps-aeb114a927 branch March 25, 2026 23:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

C-common C-containerd-shim-wasm C-wasmtime dependencies Pull requests that update a dependency file rust Pull requests that update Rust code T-benchmarks

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Mossaka