Skip to content

build(deps): bump wasmtime 44.0.3 → 45.0.3 for RUSTSEC-2026-0188 (#632)#633

Merged
avrabe merged 1 commit into
mainfrom
fix/rustsec-2026-0188-wasmtime
Jun 30, 2026
Merged

build(deps): bump wasmtime 44.0.3 → 45.0.3 for RUSTSEC-2026-0188 (#632)#633
avrabe merged 1 commit into
mainfrom
fix/rustsec-2026-0188-wasmtime

Conversation

@avrabe

@avrabe avrabe commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

What

Bumps wasmtime/wasmtime-wasi 44.0.3 → 45.0.3 to resolve RUSTSEC-2026-0188 (WASI hard-link/rename FilePerms bypass on the destination path), currently failing the Security Audit (RustSec) gate on main and every PR. Closes #632.

Why now

The advisory affects our pinned 44.0.3 and would ship in the next release. rivet's only wasmtime user is rivet-core/src/wasm_runtime.rs (compose-witness runner, wasm feature) — the witness/MC-DC surface that matters to the ASIL-D downstream (gale).

Validation

🤖 Generated with Claude Code

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark 'Rivet Criterion Benchmarks'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.20.

Benchmark suite Current: 171743e Previous: 69960d8 Ratio
store_insert/10000 16109658 ns/iter (± 913795) 12609597 ns/iter (± 589531) 1.28

This comment was automatically generated by workflow using github-action-benchmark.

RUSTSEC-2026-0188: WASI hard links and renames bypass wasmtime-wasi's
FilePerms on the destination path. Our pinned 44.0.3 is affected; the fix
landed in 45.0.3 / 46.0.1. Pin to >=45.0.3 (stay <46 to minimize churn).

The 44->45 bump is source-compatible — `rivet-core --features wasm` (the only
wasmtime user, src/wasm_runtime.rs) compiles unchanged and all 13
wasm_runtime tests pass. `cargo audit` no longer reports RUSTSEC-2026-0188.

Same maintenance class as #542 (43->44 for RUSTSEC-2026-0182, carried by 45.x).

Refs: REQ-086
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@avrabe avrabe force-pushed the fix/rustsec-2026-0188-wasmtime branch from 7157a5c to 171743e Compare June 30, 2026 20:00
@avrabe avrabe merged commit 6945cf5 into main Jun 30, 2026
22 checks passed
@avrabe avrabe deleted the fix/rustsec-2026-0188-wasmtime branch June 30, 2026 20:03
@codecov

codecov Bot commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

RUSTSEC-2026-0188: wasmtime-wasi 44.0.3 FilePerms bypass on hard-link/rename (Security Audit red)

1 participant