From 081081e4f183c65564d7516ca5640ea93c61c7b7 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 10 Apr 2026 09:44:35 +0300
Subject: [PATCH] Update Rust crate wasmtime to v36.0.7 [SECURITY] (#53553)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [wasmtime](https://redirect.github.com/bytecodealliance/wasmtime) |
workspace.dependencies | patch | `36.0.6` → `36.0.7` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/15138) for more information.

### GitHub Vulnerability Alerts

####
[CVE-2026-34941](https://redirect.github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hx6p-xpx3-jvvv)

### Summary

Wasmtime contains a vulnerability where when transcoding a UTF-16 string
to the latin1+utf16 component-model encoding it would incorrectly
validate the byte length of the input string when performing a bounds
check. Specifically the number of code units were checked instead of the
byte length, which is twice the size of the code units.

This vulnerability can cause the host to read beyond the end of a
WebAssembly's linear memory in an attempt to transcode nonexistent
bytes. In Wasmtime's default configuration this will read unmapped
memory on a guard page, terminating the process with a segfault.
Wasmtime can be configured, however, without guard pages which would
mean that host memory beyond the end of linear memory may be read and
interpreted as UTF-16.

A host segfault is a denial-of-service vulnerability in Wasmtime, and
possibly being able to read beyond the end of linear memory is
additionally a vulnerability. Note that reading beyond the end of linear
memory requires nonstandard configuration of Wasmtime, specifically with
guard pages disabled.

### Impact

This is an out-of-bounds memory access. Any user running untrusted wasm
components that use cross-component string passing (with UTF-16 source
and latin1+utf16 destination encodings) is affected.

- With guard pages: Denial of service. The host process crashes with
SIGBUS/SIGSEGV.
- Without guard pages: Potential information disclosure. The guest can
read host memory beyond its linear memory allocation.

Patches

Wasmtime 24.0.7, 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this
bug. Users are recommended to update to these patched versions of
Wasmtime.
Workarounds

There is no workaround for this bug. Hosts are recommended to updated to
a patched version of Wasmtime.

####
[CVE-2026-34942](https://redirect.github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jxhv-7h78-9775)

### Impact

Wasmtime's implementation of transcoding strings into the Component
Model's `utf16` or `latin1+utf16` encodings improperly verified the
alignment of reallocated strings. This meant that unaligned pointers
could be passed to the host for transcoding which would trigger a host
panic. This panic is possible to trigger from malicious guests which
transfer very specific strings across components with specific
addresses.

Host panics are considered a DoS vector in Wasmtime as the panic
conditions are controlled by the guest in this situation.

### Patches

Wasmtime 24.0.7, 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this
bug. Users are recommended to update to these patched versions of
Wasmtime.

### Workarounds

There is no workaround for this bug. Hosts are recommended to updated to
a patched version of Wasmtime.

####
[CVE-2026-34943](https://redirect.github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m758-wjhj-p3jq)

### Impact

Wasmtime contains a possible panic which can happen when a `flags`-typed
component model value is lifted with the `Val` type. If bits are set
outside of the set of flags the component model specifies that these
bits should be ignored but Wasmtime will panic when this value is
lifted. This panic only affects wasmtime's implementation of lifting
into `Val`, not when using the `flags!` macro. This additionally only
affects `flags`-typed values which are part of a WIT interface.

This has the risk of being a guest-controlled panic within the host
which Wasmtime considers a DoS vector.

### Patches

Wasmtime 24.0.7, 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this
bug. Users are recommended to update to these patched versions of
Wasmtime.

### Workarounds

There is no workaround for this bug if a host meets the criteria to be
affected. To be affected a host must be using `wasmtime::component::Val`
and possibly work with a `flags` type in the component model.

####
[CVE-2026-34944](https://redirect.github.com/bytecodealliance/wasmtime/security/advisories/GHSA-qqfj-4vcm-26hv)

On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the
`f64x2.splat` WebAssembly instruction with Cranelift may load 8 more
bytes than is necessary. When
[signals-based-traps](https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps)
are disabled this can result in a uncaught segfault due to loading from
unmapped guard pages. With guard pages disabled it's possible for
out-of-sandbox data to be loaded, but this data is not visible to
WebAssembly guests.

### Details

The `f64x2.splat` operator, when operating on a value loaded from a
memory (for example with f64.load), compiles with Cranelift to code on
x86-64 without SSE3 that loads 128 bits (16 bytes) rather than the
expected 64 bits (8 bytes) from memory. When the address is in-bounds
for a (correct) 8-byte load but not an (incorrect) 16-byte load, this
can load beyond memory by up to 8 bytes. This can result in three
different behaviors depending on Wasmtime's configuration:

1. If guard pages are disabled then this extra data will be loaded. The
extra data is present in the upper bits of a register, but the upper
bits are not visible to WebAssembly guests. Actually witnessing this
data would require a different bug in Cranelift, of which none are
known. Thus in this situation while it's something we're patching in
Cranelift it's not a security issue.
2. If guard pages are enabled, and
[signals-based-traps](https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps)
are enabled, then this operation will result in a safe WebAssembly trap.
The trap is incorrect because the load is not out-of-bounds as defined
by WebAssembly, but this mistakenly widened load will load bytes from an
unmapped guard page, causing a segfault which is caught and handled as a
Wasm trap. In this situation this is not a security issue, but we're
patching Cranelift to fix the WebAssembly behavior.
3. If guard pages are enabled, and
[signals-based-traps](https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps)
are disabled, then this operation results in an uncaught segfault. Like
the previous case with guard pages enabled this will load from an
unmapped guard page. Unlike before, however, signals-based-traps are
disabled meaning that signal handlers aren't configured. The resulting
segfault will, by default, terminate the process. This is a security
issue from a DoS perspective, but does not represent an arbitrary read
or write from WebAssembly, for example.

Wasmtime's default configuration is case (2) in this case. That means
that Wasmtime, by default, incorrectly executes this
WebAssembly instruction but does not have insecure behavior.

### Impact

If
[signals-based-traps](https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps)
are disabled and guard pages are enabled then guests can trigger an
uncaught segfault in the host, likely aborting the host process. This
represents, for example, a DoS vector for WebAssembly guests.

This bug does not affect Wasmtime's default configuration and requires
[signals-based-traps](https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps)
to be disabled. This bug only affects the x86-64 target with the SSE3
feature disabled and the Cranelift backend (Wasmtime's default backend).

### Patches

Wasmtime 24.0.7, 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this
bug. Users are recommended to update to these patched versions of
Wasmtime.

### Workarounds

This bug only affects x86-64 hosts where SSE3 is disabled. If SSE3 is
enabled or if a non-x86-64 host is used then hosts are not affect.
Otherwise there are no known workarounds to this issue.

####
[CVE-2026-34945](https://redirect.github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m9w2-8782-2946)

### Impact

Wasmtime's Winch compiler contains a bug where a 64-bit table, part of
the memory64 proposal of WebAssembly, incorrectly translated the
`table.size` instruction. This bug could lead to disclosing data on the
host's stack to WebAssembly guests. The host's stack can possibly
contain sensitive data related to other host-originating operations
which is not intended to be disclosed to guests.

This bug specifically arose from a mistake where the return value of
`table.size` was statically typed as a 32-bit integer, as opposed to
consulting the table's index type to see how large the returned register
could be. When combined with details about Wnich's ABI, such as
multi-value returns, this can be combined to read stack data from the
host, within a guest. This information disclosure should not be possible
in WebAssembly, violates spec semantics, and is a vulnerability in
Wasmtime.

### Patches

Wasmtime 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this bug.
Users are recommended to update to these patched versions of Wasmtime.

### Workarounds

Users of Cranelift are not affected by this issue, but users of Winch
have no workarounds other than disabling the `Config::wasm_memory64`
proposal.

####
[CVE-2026-34946](https://redirect.github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw)

### Impact

Wasmtime's Winch compiler contains a vulnerability where the compilation
of the `table.fill` instruction can result in a host panic. This means
that a valid guest can be compiled with Winch, on any architecture, and
cause the host to panic. This represents a denial-of-service
vulnerability in Wasmtime due to guests being able to trigger a panic.

The specific issue is that a historical refactoring, #&#8203;11254,
changed how compiled code referenced tables within the `table.*`
instructions. This refactoring forgot to update the Winch code paths
associated as well, meaning that Winch was using the wrong indexing
scheme. Due to the feature support of Winch the only problem that can
result is tables being mixed up or nonexistent tables being used,
meaning that the guest is limited to panicking the host (using a
nonexistent table), or executing spec-incorrect behavior and modifying
the wrong table.

### Patches

Wasmtime 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this bug.
Users are recommended to update to these patched versions of Wasmtime.

### Workarounds

Users of Cranelift are not affected by this issue, but for users of
Winch there is no workaround for this bug. Hosts are recommended to
updated to a patched version of Wasmtime.

####
[CVE-2026-34971](https://redirect.github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jhxm-h53p-jm7w)

### Impact

Wasmtime's Cranelift compilation backend contains a bug on aarch64 when
performing a certain shape of heap accesses which means that the wrong
address is accessed. When combined with explicit bounds checks a guest
WebAssembly module this can create a situation where there are two
diverging computations for the same address: one for the address to
bounds-check and one for the address to load. This difference in address
being operated on means that a guest module can pass a bounds check but
then load a different address. Combined together this enables an
arbitrary read/write primitive for guest WebAssembly when accesssing
host memory. This is a sandbox escape as guests are able to read/write
arbitrary host memory.

This vulnerability has a few ingredients, all of which must be met, for
this situation to occur and bypass the sandbox restrictions:

* This miscompiled shape of load only occurs on 64-bit WebAssembly
linear memories, or when `Config::wasm_memory64` is enabled. 32-bit
WebAssembly is not affected.
* Spectre mitigations or signals-based-traps must be disabled. When
spectre mitigations are enabled then the offending shape of load is not
generated. When signals-based-traps are disabled then spectre
mitigations are also automatically disabled.

The specific bug in Cranelift is a miscompile of a load of the shape
`load(iadd(base, ishl(index, amt)))` where `amt` is a constant. The
`amt` value is masked incorrectly to test if it's a certain value, and
this incorrect mask means that Cranelift can pattern-match this lowering
rule during instruction selection erroneously, diverging from
WebAssembly's and Cranelift's semantics. This incorrect lowering would,
for example, load an address much further away than intended as the
correct address's computation would have wrapped around to a smaller
value insetad.

### Patches

Wasmtime 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this bug.
Users are recommended to update to these patched versions of Wasmtime.

### Workarounds

This bug only affects users of Cranelift on aarch64. Cranelift on other
platforms is not affected. Additionally this only affects 64-bit
WebAssembly linear memories, so if `Config::wasm_memory64` is disabled
then hosts are not affected. Note that `Config::wasm_memory64` is
enabled by default. If spectre mitigations are enabled, which are
enabled by default, then hosts are not affected by this issue.

####
[CVE-2026-34988](https://redirect.github.com/bytecodealliance/wasmtime/security/advisories/GHSA-6wgr-89rj-399p)

### Impact

Wasmtime's implementation of its pooling allocator contains a bug where
in certain configurations the contents of linear memory can be leaked
from one instance to the next. The implementation of resetting the
virtual memory permissions for linear memory used the wrong predicate to
determine if resetting was necessary, where the compilation process used
a different predicate. This divergence meant that the pooling allocator
incorrectly deduced at runtime that resetting virtual memory permissions
was not necessary while compile-time determine that virtual memory could
be relied upon.

Exposing this bug requires specific configuration values to be used. If
any of these configurations are not applicable then this bug does not
happen:

* The pooling allocator must be in use.
* The `Config::memory_guard_size` configuration option must be 0.
* The `Config::memory_reservation` configuration must be less than 4GiB.
* The pooling allocator must be configured with `max_memory_size` the
same as the `memory_reservation` value.

If all of these conditions are applicable then when a linear memory is
reused the VM permissions of the previous iteration are not reset. This
means that the compiled code, which is assuming out-of-bounds loads will
segfault, will not actually segfault and can read the previous contents
of linear memory if it was previously mapped.

This represents a data leakage vulnerability between guest WebAssembly
instances which breaks WebAssembly's semantics and additionally breaks
the sandbox that Wasmtime provides. Wasmtime is not vulnerable to this
issue with its default settings, nor with the default settings of the
pooling allocator, but embeddings are still allowed to configure these
values to cause this vulnerability.

### Patches

Wasmtime 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this bug.
Users are recommended to update to these patched versions of Wasmtime.

### Workarounds

All four conditions above must be met to be vulnerable to this bug, and
users can work around this bug by adjusting any of the above conditions.
For example it is strongly recommended that guard pages are configured
for linear memories which would make this bug not applicable.

####
[CVE-2026-35195](https://redirect.github.com/bytecodealliance/wasmtime/security/advisories/GHSA-394w-hwhg-8vgm)

### Impact

Wasmtime's implementation of transcoding strings between components
contains a bug where the return value of a guest component's `realloc`
is not validated before the host attempts to write through the pointer.
This enables a guest to cause the host to write arbitrary transcoded
string bytes to an arbitrary location up to 4GiB away from the base of
linear memory. These writes on the host could hit unmapped memory or
could corrupt host data structures depending on Wasmtime's
configuration.

Wasmtime by default reserves 4GiB of virtual memory for a guest's linear
memory meaning that this bug will by default on hosts cause the host to
hit unmapped memory and abort the process due to an unhandled fault.
Wasmtime can be configured, however, to reserve less memory for a guest
and to remove all guard pages, so some configurations of Wasmtime may
lead to corruption of data outside of a guest's linear memory, such as
host data structures or other guests's linear memories.

### Patches

Wasmtime 24.0.7, 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this
bug. Users are recommended to update to these patched versions of
Wasmtime.

### Workarounds

There is no known workaround for this issue and affected
hosts/embeddings are recommended to upgrade.

---

### Release Notes

<details>
<summary>bytecodealliance/wasmtime (wasmtime)</summary>

###
[`v36.0.7`](https://redirect.github.com/bytecodealliance/wasmtime/releases/tag/v36.0.7)

[Compare
Source](https://redirect.github.com/bytecodealliance/wasmtime/compare/v36.0.6...v36.0.7)

#### 36.0.7

Released 2026-04-09.

##### Fixed

- Miscompiled guest heap access enables sandbox escape on aarch64
Cranelift.

[GHSA-jhxm-h53p-jm7w](https://redirect.github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jhxm-h53p-jm7w)

- Wasmtime with Winch compiler backend may allow a sandbox-escaping
memory
  access.

[GHSA-xx5w-cvp6-jv83](https://redirect.github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xx5w-cvp6-jv83)

- Out-of-bounds write or crash when transcoding component model strings.

[GHSA-394w-hwhg-8vgm](https://redirect.github.com/bytecodealliance/wasmtime/security/advisories/GHSA-394w-hwhg-8vgm)

- Host panic when Winch compiler executes `table.fill`.

[GHSA-q49f-xg75-m9xw](https://redirect.github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw)

- Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat`
operator
  on x86-64.

[GHSA-qqfj-4vcm-26hv](https://redirect.github.com/bytecodealliance/wasmtime/security/advisories/GHSA-qqfj-4vcm-26hv)

- Improperly masked return value from `table.grow` with Winch compiler
backend.

[GHSA-f984-pcp8-v2p7](https://redirect.github.com/bytecodealliance/wasmtime/security/advisories/GHSA-f984-pcp8-v2p7)

- Panic when transcoding misaligned utf-16 strings.

[GHSA-jxhv-7h78-9775](https://redirect.github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jxhv-7h78-9775)

- Panic when lifting `flags` component value.

[GHSA-m758-wjhj-p3jq](https://redirect.github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m758-wjhj-p3jq)

- Heap OOB read in component model UTF-16 to latin1+utf16 string
transcoding.

[GHSA-hx6p-xpx3-jvvv](https://redirect.github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hx6p-xpx3-jvvv)

- Data leakage between pooling allocator instances.

[GHSA-6wgr-89rj-399p](https://redirect.github.com/bytecodealliance/wasmtime/security/advisories/GHSA-6wgr-89rj-399p)

- Host data leakage with 64-bit tables and Winch.

[GHSA-m9w2-8782-2946](https://redirect.github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m9w2-8782-2946)

</details>

---

### Configuration

📅 **Schedule**: (in timezone America/New_York)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

Release Notes:

- N/A

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 Cargo.lock | 144 ++++++++++++++++++++++++++---------------------------
 1 file changed, 72 insertions(+), 72 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 1e5c390ac823bfe3b4c0839d2d98102b5a0e87f3..5280fc72d074c22414b603a9b7092f2005f07a85 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -3864,36 +3864,36 @@ dependencies = [
 
 [[package]]
 name = "cranelift-assembler-x64"
-version = "0.123.6"
+version = "0.123.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ba33ddc4e157cb1abe9da6c821e8824f99e56d057c2c22536850e0141f281d61"
+checksum = "c8056d63fef9a6f88a1e7aae52bb08fcf48de8866d514c0dc52feb15975f5db5"
 dependencies = [
  "cranelift-assembler-x64-meta",
 ]
 
 [[package]]
 name = "cranelift-assembler-x64-meta"
-version = "0.123.6"
+version = "0.123.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "69b23dd6ea360e6fb28a3f3b40b7f126509668f58076a4729b2cfd656f26a0ad"
+checksum = "57d063b40884a0d733223a45c5de1155395af4393cf7f900d5be8e2cbc094015"
 dependencies = [
  "cranelift-srcgen",
 ]
 
 [[package]]
 name = "cranelift-bforest"
-version = "0.123.6"
+version = "0.123.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a9d81afcee8fe27ee2536987df3fadcb2e161af4edb7dbe3ef36838d0ce74382"
+checksum = "3c3add2881bae2d55cd7162906988dd70053cb7ece865ad793a6754b04d47df6"
 dependencies = [
  "cranelift-entity",
 ]
 
 [[package]]
 name = "cranelift-bitset"
-version = "0.123.6"
+version = "0.123.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fb33595f1279fe7af03b28245060e9085caf98b10ed3137461a85796eb83972a"
+checksum = "dd73e32bc1ea4bddc4c770760c66fa24b2890991b0561af554219e603fcd7c34"
 dependencies = [
  "serde",
  "serde_derive",
@@ -3901,9 +3901,9 @@ dependencies = [
 
 [[package]]
 name = "cranelift-codegen"
-version = "0.123.6"
+version = "0.123.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0230a6ac0660bfe31eb244cbb43dcd4f2b3c1c4e0addc3e0348c6053ea60272e"
+checksum = "3e1da85f2636fe28244848861d1ed0f8dccdc6e98fc5db31aa5eb8878e7ff617"
 dependencies = [
  "bumpalo",
  "cranelift-assembler-x64",
@@ -3931,9 +3931,9 @@ dependencies = [
 
 [[package]]
 name = "cranelift-codegen-meta"
-version = "0.123.6"
+version = "0.123.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "96d6817fdc15cb8f236fc9d8e610767d3a03327ceca4abff7a14d8e2154c405e"
+checksum = "ee3c8aba9d89832df27364b2e79dc2fe288daf4bd6c7347829e7f3f258ea5650"
 dependencies = [
  "cranelift-assembler-x64-meta",
  "cranelift-codegen-shared",
@@ -3944,24 +3944,24 @@ dependencies = [
 
 [[package]]
 name = "cranelift-codegen-shared"
-version = "0.123.6"
+version = "0.123.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0403796328e9e2e7df2b80191cdbb473fd9ea3889eb45ef5632d0fef168ea032"
+checksum = "ac9a9b09fe107fef6377caed20614586124184cffccb73611312ceb922a917e6"
 
 [[package]]
 name = "cranelift-control"
-version = "0.123.6"
+version = "0.123.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "188f04092279a3814e0b6235c2f9c2e34028e4beb72da7bfed55cbd184702bcc"
+checksum = "50aef001c7ad250d5fdda2c7481cbfcabe6435c66106adf5760dcb9fb9a8ede4"
 dependencies = [
  "arbitrary",
 ]
 
 [[package]]
 name = "cranelift-entity"
-version = "0.123.6"
+version = "0.123.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "43f5e7391167605d505fe66a337e1a69583b3f34b63d359ffa5a430313c555e8"
+checksum = "cf3c84656a010df2b5afaedcbbbd94f1efe175b55e29864df7b99e64bfa40d56"
 dependencies = [
  "cranelift-bitset",
  "serde",
@@ -3970,9 +3970,9 @@ dependencies = [
 
 [[package]]
 name = "cranelift-frontend"
-version = "0.123.6"
+version = "0.123.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ea5440792eb2b5ba0a0976df371b9f94031bd853ae56f389de610bca7128a7cb"
+checksum = "6aa1d2006915cddb63705db46dcfb8637fe08f91d26fbe59680d7257ec39d609"
 dependencies = [
  "cranelift-codegen",
  "log",
@@ -3982,15 +3982,15 @@ dependencies = [
 
 [[package]]
 name = "cranelift-isle"
-version = "0.123.6"
+version = "0.123.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e5c05fab6fce38d729088f3fa1060eaa1ad54eefd473588887205ed2ab2f79e"
+checksum = "6e4fecbcbb81273f9aff4559e26fc341f42663da420cca5ac84b34e74e9267e0"
 
 [[package]]
 name = "cranelift-native"
-version = "0.123.6"
+version = "0.123.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9c9a0607a028edf5ba5bba7e7cf5ca1b7f0a030e3ae84dcd401e8b9b05192280"
+checksum = "976a3d85f197a56ae34ee4d5a5e469855ac52804a09a513d0562d425da0ff56e"
 dependencies = [
  "cranelift-codegen",
  "libc",
@@ -3999,9 +3999,9 @@ dependencies = [
 
 [[package]]
 name = "cranelift-srcgen"
-version = "0.123.6"
+version = "0.123.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cb0f2da72eb2472aaac6cfba4e785af42b1f2d82f5155f30c9c30e8cce351e17"
+checksum = "37fbd4aefce642145491ff862d2054a71b63d2d97b8dd1e280c9fdaf399598b7"
 
 [[package]]
 name = "crash-context"
@@ -4925,7 +4925,7 @@ dependencies = [
  "libc",
  "option-ext",
  "redox_users 0.5.2",
- "windows-sys 0.61.2",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -5691,7 +5691,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
  "libc",
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -7116,7 +7116,7 @@ dependencies = [
  "gobject-sys",
  "libc",
  "system-deps 7.0.7",
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -11089,7 +11089,7 @@ version = "0.50.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
 dependencies = [
- "windows-sys 0.61.2",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -13535,7 +13535,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "22505a5c94da8e3b7c2996394d1c933236c4d743e81a410bcca4e6989fc066a4"
 dependencies = [
  "bytes 1.11.1",
- "heck 0.5.0",
+ "heck 0.4.1",
  "itertools 0.12.1",
  "log",
  "multimap",
@@ -13685,9 +13685,9 @@ checksum = "bd348ff538bc9caeda7ee8cad2d1d48236a1f443c1fa3913c6a02fe0043b1dd3"
 
 [[package]]
 name = "pulley-interpreter"
-version = "36.0.6"
+version = "36.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "499d922aa0f9faac8d92351416664f1b7acd914008a90fce2f0516d31efddf67"
+checksum = "a078b4bdfd275fadeefc4f9ae3675ee5af302e69497da439956dd05257858970"
 dependencies = [
  "cranelift-bitset",
  "log",
@@ -13697,9 +13697,9 @@ dependencies = [
 
 [[package]]
 name = "pulley-macros"
-version = "36.0.6"
+version = "36.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a3848fb193d6dffca43a21f24ca9492f22aab88af1223d06bac7f8a0ef405b81"
+checksum = "9dac91999883fd00b900eb5377be403c5cb8b93e10efcb571bf66454c2d9f231"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -13841,7 +13841,7 @@ dependencies = [
  "once_cell",
  "socket2 0.6.1",
  "tracing",
- "windows-sys 0.60.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -15033,7 +15033,7 @@ dependencies = [
  "errno 0.3.14",
  "libc",
  "linux-raw-sys 0.11.0",
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -16286,7 +16286,7 @@ version = "0.8.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c1c97747dbf44bb1ca44a561ece23508e99cb592e862f22222dcf42f51d1e451"
 dependencies = [
- "heck 0.5.0",
+ "heck 0.4.1",
  "proc-macro2",
  "quote",
  "syn 2.0.117",
@@ -17500,7 +17500,7 @@ dependencies = [
  "getrandom 0.3.4",
  "once_cell",
  "rustix 1.1.2",
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -19710,9 +19710,9 @@ dependencies = [
 
 [[package]]
 name = "wasmtime"
-version = "36.0.6"
+version = "36.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a2f8736ddc86e03a9d0e4c477a37939cfc53cd1b052ee38a3133679b87ef830"
+checksum = "b80d5ba38b9b00f60a0665e07dde38e91d884d4a78cd61d777c8cf081a1267c1"
 dependencies = [
  "addr2line",
  "anyhow",
@@ -19771,9 +19771,9 @@ dependencies = [
 
 [[package]]
 name = "wasmtime-environ"
-version = "36.0.6"
+version = "36.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "733682a327755c77153ac7455b1ba8f2db4d9946c1738f8002fe1fbda1d52e83"
+checksum = "44a45d60dea98308decb71a9f7bb35a629696d1fbf7127dbfde42cbc64b8fa33"
 dependencies = [
  "anyhow",
  "cpp_demangle",
@@ -19798,9 +19798,9 @@ dependencies = [
 
 [[package]]
 name = "wasmtime-internal-asm-macros"
-version = "36.0.6"
+version = "36.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "68288980a2e02bcb368d436da32565897033ea21918007e3f2bae18843326cf9"
+checksum = "dd014b4001b6da03d79062d9ad5ec98fa62e34d50e30e46298545282cc2957e4"
 dependencies = [
  "cfg-if",
 ]
@@ -19817,9 +19817,9 @@ dependencies = [
 
 [[package]]
 name = "wasmtime-internal-component-macro"
-version = "36.0.6"
+version = "36.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5dea846da68f8e776c8a43bde3386022d7bb74e713b9654f7c0196e5ff2e4684"
+checksum = "0f2942aa5d44b02061e0c6ab71b23090cf3b300b4519e3b80776ac38edde2e65"
 dependencies = [
  "anyhow",
  "proc-macro2",
@@ -19832,15 +19832,15 @@ dependencies = [
 
 [[package]]
 name = "wasmtime-internal-component-util"
-version = "36.0.6"
+version = "36.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fe1e5735b3c8251510d2a55311562772d6c6fca9438a3d0329eb6e38af4957d6"
+checksum = "bcb6f974fe739e98034b7e6ec6feb2ab399f4cde7207675f26138bd9a1d65720"
 
 [[package]]
 name = "wasmtime-internal-cranelift"
-version = "36.0.6"
+version = "36.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e89bb9ef571288e2be6b8a3c4763acc56c348dcd517500b1679d3ffad9e4a757"
+checksum = "4047020866a80aa943e41133e607020e17562126cf81533362275272098a22b1"
 dependencies = [
  "anyhow",
  "cfg-if",
@@ -19865,9 +19865,9 @@ dependencies = [
 
 [[package]]
 name = "wasmtime-internal-fiber"
-version = "36.0.6"
+version = "36.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b698d004b15ea1f1ae2d06e5e8b80080cbd684fd245220ce2fac3cdd5ecf87f2"
+checksum = "7cd172b622993bb8f834f6ca3b7683dfdba72b12db0527824850fdec17c89e5a"
 dependencies = [
  "anyhow",
  "cc",
@@ -19881,9 +19881,9 @@ dependencies = [
 
 [[package]]
 name = "wasmtime-internal-jit-debug"
-version = "36.0.6"
+version = "36.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c803a9fec05c3d7fa03474d4595079d546e77a3c71c1d09b21f74152e2165c17"
+checksum = "1287e310fef4c8759a6b5caa0d44eff9a03ebcd6c273729cc39ce3e321a9e26a"
 dependencies = [
  "cc",
  "wasmtime-internal-versioned-export-macros",
@@ -19891,9 +19891,9 @@ dependencies = [
 
 [[package]]
 name = "wasmtime-internal-jit-icache-coherence"
-version = "36.0.6"
+version = "36.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d3866909d37f7929d902e6011847748147e8734e9d7e0353e78fb8b98f586aee"
+checksum = "c02bca30ef670a31496d742d9facdbd0228debe766b1e9541655c0530ff5c953"
 dependencies = [
  "anyhow",
  "cfg-if",
@@ -19903,24 +19903,24 @@ dependencies = [
 
 [[package]]
 name = "wasmtime-internal-math"
-version = "36.0.6"
+version = "36.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5a23b03fb14c64bd0dfcaa4653101f94ade76c34a3027ed2d6b373267536e45b"
+checksum = "fd3a1f51a037ae2c048f0d76d36e27f0d22276295496c44f16a251f24690e003"
 dependencies = [
  "libm",
 ]
 
 [[package]]
 name = "wasmtime-internal-slab"
-version = "36.0.6"
+version = "36.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fbff220b88cdb990d34a20b13344e5da2e7b99959a5b1666106bec94b58d6364"
+checksum = "ba6171aac3d66e4d69e50080bb6bc5205de2283513984a4118a93cb66dc02994"
 
 [[package]]
 name = "wasmtime-internal-unwinder"
-version = "36.0.6"
+version = "36.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "13e1ad30e88988b20c0d1c56ea4b4fbc01a8c614653cbf12ca50c0dcc695e2f7"
+checksum = "3fd1bc1783391a02176fb687159b1779fc10b71d5350adf09c1f3aa8442a02cc"
 dependencies = [
  "anyhow",
  "cfg-if",
@@ -19931,9 +19931,9 @@ dependencies = [
 
 [[package]]
 name = "wasmtime-internal-versioned-export-macros"
-version = "36.0.6"
+version = "36.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "549aefdaa1398c2fcfbf69a7b882956bb5b6e8e5b600844ecb91a3b5bf658ca7"
+checksum = "8097e2c8ca02ed65d31dda111faa0888ffbf28dc3ee74355e283118a8d293eb0"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -19942,9 +19942,9 @@ dependencies = [
 
 [[package]]
 name = "wasmtime-internal-winch"
-version = "36.0.6"
+version = "36.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5cc96a84c5700171aeecf96fa9a9ab234f333f5afb295dabf3f8a812b70fe832"
+checksum = "6a8cb36b61fbcff2c8bcd14f9f2651a6e52b019d0d329324620d7bc971b2b235"
 dependencies = [
  "anyhow",
  "cranelift-codegen",
@@ -19959,9 +19959,9 @@ dependencies = [
 
 [[package]]
 name = "wasmtime-internal-wit-bindgen"
-version = "36.0.6"
+version = "36.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c28dc9efea511598c88564ac1974e0825c07d9c0de902dbf68f227431cd4ff8c"
+checksum = "ff555cfb71577028616d65c00221c7fe6eef45a9ebb96fc6d34d4a41fa1de191"
 dependencies = [
  "anyhow",
  "bitflags 2.10.0",
@@ -20531,7 +20531,7 @@ version = "0.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
 dependencies = [
- "windows-sys 0.61.2",
+ "windows-sys 0.48.0",
 ]
 
 [[package]]
@@ -20542,9 +20542,9 @@ checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
 
 [[package]]
 name = "winch-codegen"
-version = "36.0.6"
+version = "36.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "06c0ec09e8eb5e850e432da6271ed8c4a9d459a9db3850c38e98a3ee9d015e79"
+checksum = "0989126b21d12c9923aa2de7ddbcf87db03037b24b7365041d9dd0095b69d8cb"
 dependencies = [
  "anyhow",
  "cranelift-assembler-x64",