fix(deps): upgrade wasmtime to 42.0.2 to resolve security advisories#282
fix(deps): upgrade wasmtime to 42.0.2 to resolve security advisories#282streamer45 merged 1 commit intomainfrom
Conversation
Upgrade wasmtime and wasmtime-wasi from 41.0.1 to 42.0.2 to fix 7 security vulnerabilities flagged by cargo-deny: - RUSTSEC-2026-0089: sandbox escape via Cranelift aarch64 - RUSTSEC-2026-0091: OOB write in component model string transcoding - RUSTSEC-2026-0092: panic on misaligned UTF-16 strings - RUSTSEC-2026-0093: heap OOB read in UTF-16 to latin1+utf16 transcoding - RUSTSEC-2026-0094: improperly masked table.grow return value (Winch) - RUSTSEC-2026-0095: sandbox-escaping memory access (Winch) - RUSTSEC-2026-0096: miscompiled guest heap access on aarch64 Also removes the deprecated Config::async_support() call which no longer has any effect in wasmtime 42. Signed-off-by: StreamKit Devin <devin@streamkit.dev> Co-Authored-By: Claudio Costa <cstcld91@gmail.com>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
![staging-devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/870844?s=60&v=4){kind=small}
| let mut engine_config = Config::new(); | ||
| engine_config.wasm_component_model(true); | ||
| engine_config.async_support(true); | ||
| engine_config.wasm_simd(config.enable_simd); | ||
| engine_config.wasm_threads(config.enable_threads); |
There was a problem hiding this comment.
🚩 Removal of async_support(true) — relies on wasmtime 42 feature-flag behavior
The removal of engine_config.async_support(true) at crates/plugin-wasm/src/lib.rs:76 (old line) is the only behavioral change in this PR. The code still heavily uses async APIs: add_to_linker_async at line 83, instantiate_async at line 137, and many async call_* methods in crates/plugin-wasm/src/wrapper.rs:102,151,200,258,313. In older wasmtime versions, calling _async methods without Config::async_support(true) would cause a runtime panic (not a compile error). The async Cargo feature is still specified in Cargo.toml:18, and wasmtime-internal-fiber (the async stack-switching infrastructure) is present in Cargo.lock, suggesting async support is compiled in. The most likely explanation is that wasmtime 42 moved async_support control entirely to the Cargo feature flag, making the Config method either removed or redundant. However, since the wasmtime 42 source isn't locally available, this should be verified — ideally by running the WASM plugin tests or checking wasmtime 42 release notes to confirm the async feature auto-enables async support.
Was this helpful? React with 👍 or 👎 to provide feedback.
Debug
There was a problem hiding this comment.
The removal is safe — wasmtime 42 emits a deprecation warning (use of deprecated method 'wasmtime::Config::async_support': no longer has any effect) when this method is called, confirming async support is now unconditionally available when the async Cargo feature is enabled (which it is in our Cargo.toml). Keeping the call would produce a CI warning on every build.
2 participants
Summary
Upgrades
wasmtimeandwasmtime-wasifrom 41.0.1 to 42.0.2 to fix 7 security vulnerabilities flagged bycargo deny check advisories, which started failing the CI lint step today:table.growreturn value (Winch)Also removes the deprecated
Config::async_support()call which no longer has any effect in wasmtime 42 (async is now always available).Changes:
crates/plugin-wasm/Cargo.toml: bump wasmtime deps from 41.0.1 → 42.0.2crates/plugin-wasm/src/lib.rs: remove deprecatedasync_support(true)callCargo.lock: updated lockfileReview & Testing Checklist for Human
.wasmplugin and confirm it processes data as expected (theasync_supportremoval is the only code change; wasmtime 42 enables async by default)just lint-skitpasses (specificallycargo deny check advisories)Notes
cargo checkconfirms full API compatibility — no other code changes were needed beyond removing the deprecated call.lint-pluginsrecipe has a pre-existing failure on this dev machine (missingfontconfigsystem library) unrelated to this change.Link to Devin session: https://staging.itsdev.in/sessions/a61e4601412d442d9a9efdfa64e9eb20
Requested by: @streamer45