Wasmtime GitHub notifications bot (Feb 24 2026 at 16:34): Wasmtime GitHub notifications bot (Feb 24 2026 at 16:34):alexcrichton opened PR #12651 from alexcrichton:back42 to bytecodealliance:ci/release-42.0.0:
This commit contains merged backports for two security advisories in Wasmtime:
- GHSA-852m-cvvp-9p4w
- GHSA-243v-98vx-264h
This introduces new knobs to Wasmtime to limit the scope of resources that WASI implementations will allocate on behalf of guests. Unlike backports to 41.0.x-and-prior these knobs all have default values which are considered reasonable for hosts if they don't further tune them. The following CLI knobs have been added:
-Smax-resources- limits the total component-model resources a guest can allocate in a table-Shostcall-fuel- a broad limit which enforces that at most this amount of data will be copied from the guest to the host in any one API call (e.g.stringvalues can't be too big,list<string>can't be quadratic, etc). This fuel is reset on each host function call.-Smax-random-size- the maximal size of the return value of theget-random-bytesandget-insecure-random-bytesWASI functions.-Smax-http-fields-size- a limit on the size ofwasi:httpfieldsvalues to avoid infinitely buffering data within the host.The
httpcrate has additionally been updated to avoid a panic when adding too many headers to afieldsobject.<!--
Please make sure you include the following information:
If this work has been discussed elsewhere, please include a link to that
conversation. If it was discussed in an issue, just mention "issue #...".Explain why this change is needed. If the details are in an issue already,
this can be brief.Our development process is documented in the Wasmtime book:
https://docs.wasmtime.dev/contributing-development-process.htmlPlease ensure all communication follows the code of conduct:
https://github.com/bytecodealliance/wasmtime/blob/main/CODE_OF_CONDUCT.md
-->
Wasmtime GitHub notifications bot (Feb 24 2026 at 16:34):alexcrichton requested wasmtime-wasi-reviewers for a review on PR #12651.
Wasmtime GitHub notifications bot (Feb 24 2026 at 16:34):alexcrichton requested pchickey for a review on PR #12651.
Wasmtime GitHub notifications bot (Feb 24 2026 at 16:34):alexcrichton requested wasmtime-core-reviewers for a review on PR #12651.
Wasmtime GitHub notifications bot (Feb 24 2026 at 16:34):alexcrichton requested wasmtime-default-reviewers for a review on PR #12651.
Wasmtime GitHub notifications bot (Feb 24 2026 at 16:40):dicej submitted PR review.
Wasmtime GitHub notifications bot (Feb 24 2026 at 16:44):alexcrichton updated PR #12651.
Wasmtime GitHub notifications bot (Feb 24 2026 at 16:47):alexcrichton edited PR #12651.
Wasmtime GitHub notifications bot (Feb 24 2026 at 16:47):alexcrichton closed without merge PR #12651.
Wasmtime GitHub notifications bot (Feb 24 2026 at 16:47):alexcrichton reopened PR #12651 from alexcrichton:back42 to bytecodealliance:release-42.0.0.
Wasmtime GitHub notifications bot (Feb 24 2026 at 17:06):alexcrichton updated PR #12651.
Wasmtime GitHub notifications bot (Feb 24 2026 at 17:51):alexcrichton merged PR #12651.
Last updated: Mar 23 2026 at 16:19 UTC