Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to Wasmtime 21.0.2 #3685

Merged
merged 1 commit into from
Oct 21, 2024
Merged

Update to Wasmtime 21.0.2 #3685

merged 1 commit into from
Oct 21, 2024

Conversation

bjorn3
Copy link
Contributor

@bjorn3 bjorn3 commented Oct 20, 2024

This fixes a race condition which causes occasional crashes and may enable a sandbox escape:

GHSA-7qmx-3fpx-r45m

@bjorn3 bjorn3 mentioned this pull request Oct 20, 2024
Merged
@imsnif imsnif self-assigned this Oct 20, 2024
@imsnif
Copy link
Member

imsnif commented Oct 21, 2024

Hey @bjorn3 - thanks for putting this together and following the issue. Maybe I'm missing something, but why are we only updating Cargo.lock and not also Cargo.toml?

@bjorn3
Copy link
Contributor Author

bjorn3 commented Oct 21, 2024

No reason really. I can change Cargo.toml too if you want.

@imsnif
Copy link
Member

imsnif commented Oct 21, 2024

No reason really. I can change Cargo.toml too if you want.

Let's do that. I think it'll be easier to follow the versions (at least for me).

@bjorn3
Update to Wasmtime 21.0.2
3c235b8 
This fixes a race condition which causes occasional crashes and may
enable a sandbox escape:

<GHSA-7qmx-3fpx-r45m>
@bjorn3
Copy link
Contributor Author

bjorn3 commented Oct 21, 2024

Done

@imsnif
Copy link
Member

imsnif commented Oct 21, 2024

Perfect, thanks!

@imsnif imsnif merged commit 1cbdada into zellij-org:main Oct 21, 2024
6 checks passed
@bjorn3 bjorn3 deleted the update_wasmtime branch October 21, 2024 14:08
fitzgen
fitzgen reviewed Oct 21, 2024
View reviewed changes
zellij-server/Cargo.toml
wasmtime = { version = "21.0.1", features = ["winch"] } # Keep in sync with the other wasmtime dep
wasmtime = { version = "21.0.2", features = ["winch"] } # Keep in sync with the other wasmtime dep
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: you can use workspace dependencies to write down the version and enabled features just one time and then reference that from multiple crates in the workspace.

For example:

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All wasmtime references are in this file. Also wasmtime and wasmtime-wasi need to be kept in sync, which workspace dependencies wouldn't help with. There are only three places in this file which need a version to be kept in sync anyway, so workspace dependencies would only complicate things IMHO. If you have a lot of uses that need fo be kept in sync, like is the case for the Wasmtime repo, then workspace dependencies do indeed make sense.

Tomcat-42 pushed a commit to Tomcat-42/zellij that referenced this pull request Nov 9, 2024
@bjorn3 @Tomcat-42
chore(deps): update to Wasmtime 21.0.2 (zellij-org#3685)
ca8ef27 
This fixes a race condition which causes occasional crashes and may
enable a sandbox escape:

<GHSA-7qmx-3fpx-r45m>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fitzgen fitzgen fitzgen left review comments

Assignees

@imsnif imsnif

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bjorn3 @imsnif @fitzgen