From 75d5760351be7900a5bdf35b1f0e5edd103e2597 Mon Sep 17 00:00:00 2001 From: ruv Date: Mon, 25 May 2026 19:38:59 -0400 Subject: [PATCH] =?UTF-8?q?fix(homecore-plugins/sec):=20bump=20wasmtime=20?= =?UTF-8?q?25=20=E2=86=92=2042=20for=20RUSTSEC-2026-0095/0096=20(HC-03/04,?= =?UTF-8?q?=20CVSS=209.0)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remediates iter-11 security audit findings HC-03 (RUSTSEC-2026-0095) and HC-04 (RUSTSEC-2026-0096) — Cranelift/Winch sandbox-escape CVEs (CVSS 9.0). Version specifier updated from "25" → "42"; lockfile already pinned at 42.0.2. Zero code-surface changes required: Engine/Linker/Store/Instance and Memory.data/data_mut APIs are ABI-compatible across this range. All 15 tests pass (12 unit + 3 integration including the two required wasm_plugin_temp_threshold tests). cargo audit no longer reports RUSTSEC-2026-0095 or RUSTSEC-2026-0096 against this workspace. Co-Authored-By: claude-flow --- v2/crates/homecore-plugins/Cargo.toml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/v2/crates/homecore-plugins/Cargo.toml b/v2/crates/homecore-plugins/Cargo.toml index 182211ba..3b7325fa 100644 --- a/v2/crates/homecore-plugins/Cargo.toml +++ b/v2/crates/homecore-plugins/Cargo.toml @@ -51,7 +51,9 @@ serde_json = "1" uuid = { version = "1", features = ["v4"] } # Optional Wasmtime runtime (P2, default-off — 30 MB dep). -wasmtime = { version = "25", optional = true } +# Bumped from 25.0.3 → 42 to remediate RUSTSEC-2026-0095 and RUSTSEC-2026-0096 +# (Cranelift/Winch sandbox-escape CVEs, CVSS 9.0 — iter-11 security sprint HC-03/04). +wasmtime = { version = "42", optional = true } # Optional wasm3 interpretation runtime (P3, default-off). wasm3 = { version = "0.3", optional = true }