fix(deps): upgrade wasmtime 42 → 43 (RUSTSEC-2026-0114)

[avrabe]

Summary

Performs the proper upgrade tracked in #259 — bumps wasmtime and wasmtime-wasi from 42 to 43, dropping the --ignore RUSTSEC-2026-0114 line that was added to keep the v0.8.0 release moving.

wasmtime 42.0.2 had a medium-severity (5.9) panic on oversized table allocation (RUSTSEC-2026-0114, 2026-04-30). The advisory was suppressed in 0.8.0 CI via --ignore because rivet's wasm path doesn't allocate large tables in practice; this PR moves to a fixed range (>=43.0.2, <44.0.0).

Acceptance — #259

• wasmtime and wasmtime-wasi and wiggle all on the fixed range. Cargo.toml workspace-deps bumped to "43". After cargo update -p wasmtime -p wasmtime-wasi, the lockfile shows wasmtime 43.0.2, wasmtime-wasi 43.0.2, wiggle 43.0.2 (transitive). Range >=43.0.2, <44.0.0 is one of the three fixed ranges listed in the advisory.
• cargo audit clean (drop the --ignore RUSTSEC-2026-0114 line in .github/workflows/ci.yml). Line dropped; the surrounding comment block (which was specifically about the 42.x → 43 follow-up) refreshed to a generic note. Other --ignore lines for RUSTSEC-2026-0085/86/87/88/89/91/92/93/94/95/96/103/104 left in place — those are out of scope for this issue and should be revisited separately if they are now moot under wasmtime 43.
• All wasm-feature-gated tests still pass. cargo test -p rivet-core --features wasm finishes with test result: ok. 83 passed; 0 failed (plus 0 doc-tests). No source changes were needed in rivet-core/src/wasm_runtime.rs — the WasiView / WasiCtxView / WasiCtxBuilder / p2::add_to_linker_sync / component::ResourceTable / ResourceLimiter surface used by the runtime is API-compatible between 42.x and 43.x.

Out of scope

• The umbrella --ignore RUSTSEC-2026-0085…0104 block in CI is left untouched. The original comment said "wasmtime 42.x advisories ignored", which suggests those IDs may also be moot under wasmtime 43, but that's a follow-up audit/cleanup — not required by deps: upgrade wasmtime from 42.x to >=43.0.2 (RUSTSEC-2026-0114) #259's acceptance.
• wasmtime-wasi 44.0.1 is also a fixed range; this PR stays on 43 as the most natural minor bump and matches the issue's "Most natural: bump to >=43.0.2" recommendation.

Test plan

• cargo build -p rivet-core --features wasm — clean, finished in 2m 08s on a fresh target.
• cargo test -p rivet-core --features wasm — test result: ok. 83 passed; 0 failed; 0 ignored.
• CI audit job runs without --ignore RUSTSEC-2026-0114 and stays green (verified post-merge).
• CI full test matrix on the bumped lockfile (verified by GHA on this PR).

Closes #259

🤖 Generated with Claude Code — issue-triage agent run 2026-05-02.

---

Generated by Claude Code

[github-actions]

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark 'Rivet Criterion Benchmarks'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.20.

Benchmark suite	Current: c4163bc	Previous: 9b45c86	Ratio
link_graph_build/10000	36478476 ns/iter (± 3381447)	29210248 ns/iter (± 1823498)	1.25
validate/10000	20928694 ns/iter (± 2216184)	16881866 ns/iter (± 1264960)	1.24

This comment was automatically generated by workflow using github-action-benchmark.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!