fix: ignore RUSTSEC-2025-0118 (wasmtime in FVM)

[LesnyRumcajs]

Summary of changes

Changes introduced in this pull request:

• new FVM versions need to be released, let's ignore for now.

Reference issue to close (if applicable)

Closes #6246

Other information and links

Change checklist

• I have performed a self-review of my own code,
• I have made corresponding changes to the documentation. All new code adheres to the team's documentation standards,
• I have added tests that prove my fix is effective or that my feature works (if possible),
• I have made sure the CHANGELOG is up-to-date. All user-facing changes should be reflected in this document.

Summary by CodeRabbit

• Chores
  • Updated security advisory configuration to manage dependencies compliance.

[coderabbitai]

Walkthrough

Added advisory identifier "RUSTSEC-2025-0118" to the deny.toml ignore list to resolve an automated cargo deny check advisories failure.

Changes

Cohort / File(s)	Summary
Configuration Update deny.toml	Added "RUSTSEC-2025-0118" to [advisories] ignore list

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• fix: a few RUSTSEC(s) #6244: Modifies the same [advisories] ignore list section in deny.toml, with overlapping advisory ID management.
• fix: ignore RUSTSEC-2025-0046 #6156: Also adds a specific RUSTSEC ID to the [advisories] ignore list in deny.toml.
• fix: ignore a few RUSTSECs #6180: Adds RUSTSEC advisories to the deny.toml ignore list using the same configuration approach.

Suggested reviewers

• hanabi1224
• sudo-shashank

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: ignoring a specific security advisory (RUSTSEC-2025-0118) for wasmtime in FVM.
Linked Issues check	✅ Passed	The PR directly addresses the linked issue #6246 by ignoring the advisory that caused the cargo deny check failure.
Out of Scope Changes check	✅ Passed	The change is narrowly scoped to adding one advisory to the ignore list, with no extraneous modifications beyond the stated objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ignore-rustsec-2025-0118

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8d79819 and 8b66772.

📒 Files selected for processing (1)

• deny.toml (1 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 6074
File: src/rpc/methods/chain.rs:55-56
Timestamp: 2025-09-17T11:32:44.185Z
Learning: In the Forest codebase, hanabi1224 prefers that CodeRabbit should not warn about potential compilation issues (such as Send bounds, async/await compatibility, etc.) since they are already guarded by CI tests. Focus should be on higher-level design and logic issues instead.

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 5886
File: interop-tests/src/tests/go_app/gen.go:58-58
Timestamp: 2025-08-07T13:39:29.732Z
Learning: In the Forest project, auto-generated files (like those generated by rust2go tool) should be skipped during code review as they are not meant to be manually edited.

Learnt from: LesnyRumcajs
Repo: ChainSafe/forest PR: 5907
File: src/rpc/methods/state.rs:523-570
Timestamp: 2025-08-06T15:44:33.467Z
Learning: LesnyRumcajs prefers to rely on BufWriter's Drop implementation for automatic flushing rather than explicit flush() calls in Forest codebase.

📚 Learning: 2025-08-07T13:39:36.962Z

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 5886
File: interop-tests/src/tests/go_app/gen.go:88-90
Timestamp: 2025-08-07T13:39:36.962Z
Learning: Skip reviewing auto-generated files marked with "Generated by rust2go. Please DO NOT edit this C part manually." as these should not be manually edited and any issues should be addressed in the code generation tool or source templates instead.

Applied to files:

• deny.toml

📚 Learning: 2025-08-07T13:39:15.107Z

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 5886
File: interop-tests/src/tests/go_app/gen.go:29-29
Timestamp: 2025-08-07T13:39:15.107Z
Learning: Auto-generated files like those created by rust2go (indicated by "Generated by rust2go. Please DO NOT edit this C part manually." comment) in the Forest project should be skipped during code review as they are not intended for manual editing.

Applied to files:

• deny.toml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: tests-release
• GitHub Check: tests
• GitHub Check: All lint checks
• GitHub Check: cargo-publish-dry-run
• GitHub Check: Build MacOS
• GitHub Check: Build Ubuntu
• GitHub Check: Build forest binaries on Linux AMD64

🔇 Additional comments (1)

deny.toml (1)

9-9: ---

Approve the advisory ignore addition; optionally enhance with tracking reference.

The addition of RUSTSEC-2025-0118 is correct—the advisory addresses an unsound Rust API in wasmtime that could expose shared linear memory as non-shared, allowing unsynchronized host accesses. The comment accurately describes it as wasmtime-related, and the pattern matches line 8.

Since this is a temporary workaround pending FVM releases, consider adding a link to the related tracking issue (e.g., #6246) or a comment indicating when this can be removed (once FVM releases versions with wasmtime 24.0.5, 36.0.3, 37.0.3, 38.0.4 or later). This helps future maintainers remove the advisory once upstream dependencies are updated.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}