Summary
The Rust SDK currently carries temporary cargo-deny advisory ignores for Wasmtime advisories that are upstream-blocked by extism = 1.21.0 requiring wasmtime = ^41.
The SDK executes vendor-provided 1Password wasm/core.wasm only, not arbitrary user-supplied WASM, so the trust boundary is materially narrower than a general plugin host. Still, several advisories include critical sandbox-escape issues and should be removed as soon as upstream support is available.
Upstream blocker
extism/extism#898: Upgrade to wasmtime 42+extism/extism#901: Upgrade wasmtime to v43- Current latest release:
extism v1.21.0, which still depends on Wasmtime 41
- Cargo cannot update
wasmtime to 42/43 directly because extism v1.21.0 requires wasmtime = ^41
Temporary ignores
deny.toml ignores these advisories with unused-ignored-advisory = "deny" so stale exceptions fail CI:
RUSTSEC-2026-0085RUSTSEC-2026-0086RUSTSEC-2026-0087RUSTSEC-2026-0088RUSTSEC-2026-0089RUSTSEC-2026-0091RUSTSEC-2026-0092RUSTSEC-2026-0093RUSTSEC-2026-0094RUSTSEC-2026-0095RUSTSEC-2026-0096RUSTSEC-2026-0114
Acceptance criteria
- Extism releases a version containing the Wasmtime 43 upgrade or another patched Wasmtime line.
- Update the SDK dependency/lockfile to the fixed Extism version.
- Remove the temporary advisory ignores from
deny.toml.
cargo deny check passes without Wasmtime advisory ignores.cargo fmt --check, cargo clippy --all-features -- -D warnings, and cargo test pass.
Related tracking
Summary
The Rust SDK currently carries temporary
cargo-denyadvisory ignores for Wasmtime advisories that are upstream-blocked byextism = 1.21.0requiringwasmtime = ^41.The SDK executes vendor-provided 1Password
wasm/core.wasmonly, not arbitrary user-supplied WASM, so the trust boundary is materially narrower than a general plugin host. Still, several advisories include critical sandbox-escape issues and should be removed as soon as upstream support is available.Upstream blocker
extism/extism#898: Upgrade to wasmtime 42+extism/extism#901: Upgrade wasmtime to v43extism v1.21.0, which still depends on Wasmtime 41wasmtimeto 42/43 directly becauseextism v1.21.0requireswasmtime = ^41Temporary ignores
deny.tomlignores these advisories withunused-ignored-advisory = "deny"so stale exceptions fail CI:RUSTSEC-2026-0085RUSTSEC-2026-0086RUSTSEC-2026-0087RUSTSEC-2026-0088RUSTSEC-2026-0089RUSTSEC-2026-0091RUSTSEC-2026-0092RUSTSEC-2026-0093RUSTSEC-2026-0094RUSTSEC-2026-0095RUSTSEC-2026-0096RUSTSEC-2026-0114Acceptance criteria
deny.toml.cargo deny checkpasses without Wasmtime advisory ignores.cargo fmt --check,cargo clippy --all-features -- -D warnings, andcargo testpass.Related tracking