Commit 55339e1
fix(deps): bump wasmtime 43 -> 44.0.3 for RUSTSEC-2026-0182 (#542)
The Security Audit gate went red repo-wide (main + every open PR): a new
advisory, RUSTSEC-2026-0182, flags a WASIp1 `fd_renumber` resource leak in
`wasmtime-wasi`, fixed in 44.0.3 / 45.0.2. rivet's only wasmtime consumer is
rivet-core/src/wasm_runtime.rs (the compose-witness component runner), so the
exposure is a trusted first-party component, but the clean fix is the bump.
44.0.3 is the smallest fixed range (one major bump). rivet-core compiles
unchanged against the new API; `cargo audit` is clean afterward (no
vulnerabilities; only the pre-existing allowed `instant` unmaintained warning
via notify remains). Cranelift moves 0.130 -> 0.131 transitively.
Confirmed with `cargo build -p rivet-core`, `cargo test -p rivet-core` green,
and `cargo audit` reporting 0 vulnerabilities.
Trace: skip
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>1 parent 8dae100 commit 55339e1
2 files changed
Lines changed: 105 additions & 145 deletions
0 commit comments