fix(deps): bump wasmtime 43 → 44.0.3 for RUSTSEC-2026-0182 (unblocks all PRs)#542
Merged
Conversation
The Security Audit gate went red repo-wide (main + every open PR): a new advisory, RUSTSEC-2026-0182, flags a WASIp1 `fd_renumber` resource leak in `wasmtime-wasi`, fixed in 44.0.3 / 45.0.2. rivet's only wasmtime consumer is rivet-core/src/wasm_runtime.rs (the compose-witness component runner), so the exposure is a trusted first-party component, but the clean fix is the bump. 44.0.3 is the smallest fixed range (one major bump). rivet-core compiles unchanged against the new API; `cargo audit` is clean afterward (no vulnerabilities; only the pre-existing allowed `instant` unmaintained warning via notify remains). Cranelift moves 0.130 -> 0.131 transitively. Confirmed with `cargo build -p rivet-core`, `cargo test -p rivet-core` green, and `cargo audit` reporting 0 vulnerabilities. Trace: skip Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
avrabe
added a commit
that referenced
this pull request
Jun 19, 2026
First release since v0.16.1, cut to ship the RUSTSEC-2026-0182 wasmtime fix and the feature batch to downstream consumers (gale waits on a release, not main): Security: wasmtime 43 -> 44.0.3 (#542). Added: `rivet check docs` oracle (#541), minimal --no-default-features build (REQ-202/#456), `init --vendor-schemas` (REQ-220/#431), runner-liveness alert (#509). Fixed: next-id git-history awareness (REQ-218/#479), JSON error envelope on parse failure (REQ-219/#500), variant binding-file loader (#539), `accepted` status enum (#525). Confirmed: `cargo build` green, lock synced to 0.17.0, `rivet validate` PASS, `rivet docs check` PASS (0 violations). Trace: skip Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The Security Audit (RustSec) gate is red repo-wide —
mainand every open PR (#535, #539, #541, …). It's not any one PR's fault: a newly-published advisory RUSTSEC-2026-0182 flags a WASIp1fd_renumberresource leak inwasmtime-wasi, and we pinwasmtime/wasmtime-wasiat 43. This is what's blocking #541 (which gale is waiting on) from going green.Fix
Bump to 44.0.3 — the smallest fixed range (44.0.3 / 45.0.2 are the fixes). rivet's only wasmtime consumer is
rivet-core/src/wasm_runtime.rs(the compose-witness component runner), and it compiles unchanged against the new API. Cranelift moves 0.130 → 0.131 transitively.Verification
cargo build -p rivet-coreclean (no API breakage).cargo test -p rivet-coregreen.cargo audit→ 0 vulnerabilities (only the pre-existing allowedinstantunmaintained warning vianotifyremains).Once this lands, the other open PRs' Security Audit goes green on rebase.
Trace: skip(dependency/security bump, nosrc/change).🤖 Generated with Claude Code