Summary
wasmtime 42.0.2 is currently a transitive dependency (via wasmtime-wasi → wiggle → rivet-core's wasm feature gate). The 2026-04-30 advisory RUSTSEC-2026-0114 flags a medium-severity (5.9) panic when allocating a table exceeding the host address space.
The advisory was suppressed in 0.8.0 CI via --ignore because rivet doesn't allocate large wasmtime tables in practice. This issue tracks the proper upgrade.
Fix
Upgrade wasmtime to one of the fixed ranges:
>=36.0.8, <37.0.0>=43.0.2, <44.0.0>=44.0.1
Most natural: bump to >=43.0.2. May involve API changes — wasmtime 43 dropped some wasmtime-wasi interfaces vs 42; verify the wiggle path still works.
Acceptance
Trigger
Surfaced during 0.8.0 release CI (PR #256). Filed as a follow-up to keep the release moving while properly tracking the upgrade.
Summary
wasmtime 42.0.2is currently a transitive dependency (viawasmtime-wasi→wiggle→rivet-core's wasm feature gate). The 2026-04-30 advisory RUSTSEC-2026-0114 flags a medium-severity (5.9) panic when allocating a table exceeding the host address space.The advisory was suppressed in 0.8.0 CI via
--ignorebecause rivet doesn't allocate large wasmtime tables in practice. This issue tracks the proper upgrade.Fix
Upgrade
wasmtimeto one of the fixed ranges:>=36.0.8, <37.0.0>=43.0.2, <44.0.0>=44.0.1Most natural: bump to
>=43.0.2. May involve API changes — wasmtime 43 dropped somewasmtime-wasiinterfaces vs 42; verify the wiggle path still works.Acceptance
wasmtimeandwasmtime-wasiandwiggleall on the fixed rangecargo auditclean (drop the--ignore RUSTSEC-2026-0114line in.github/workflows/ci.yml)Trigger
Surfaced during 0.8.0 release CI (PR #256). Filed as a follow-up to keep the release moving while properly tracking the upgrade.