chore(deps): update wasmtime requirement from 45 to 46#9
chore(deps): update wasmtime requirement from 45 to 46#9dependabot[bot] wants to merge 1 commit into
Conversation
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
Updates the requirements on [wasmtime](https://github.com/bytecodealliance/wasmtime) to permit the latest version. - [Release notes](https://github.com/bytecodealliance/wasmtime/releases) - [Changelog](https://github.com/bytecodealliance/wasmtime/blob/v46.0.1/RELEASES.md) - [Commits](bytecodealliance/wasmtime@v45.0.0...v46.0.1) --- updated-dependencies: - dependency-name: wasmtime dependency-version: 46.0.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
2c51c3d to
f8605c5
Compare
Up to standards ✅🟢 Issues
|
There was a problem hiding this comment.
Pull Request Overview
The PR updates the wasmtime dependency but omits the necessary update for wasmtime-wasi. These crates are tightly coupled and must share the same version to avoid compilation errors stemming from internal shared dependencies.
Crucially, the security fix GHSA-4ch3-9j33-3pmj cited in the PR description is implemented in wasmtime-wasi. By failing to update that crate to version 46, the security objective of this pull request is not achieved. This update should not be merged until both crates are synchronized.
About this PR
- The implementation currently introduces a dependency version mismatch between
wasmtimeandwasmtime-wasi, which typically causes Rust compilation errors due to conflicting internal crates likewasmtime-runtime. Ensure all related Wasmtime ecosystem crates are updated in unison.
Test suggestions
- Verify project compilation with wasmtime 46 and existing wasmtime-wasi 45.
- Execute WASI integration tests to confirm security fix GHSA-4ch3-9j33-3pmj is active.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify project compilation with wasmtime 46 and existing wasmtime-wasi 45.
2. Execute WASI integration tests to confirm security fix GHSA-4ch3-9j33-3pmj is active.
TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback
|
|
||
| # Wasm plugin runtime | ||
| wasmtime = { version = "45", default-features = false, features = ["cranelift", "async", "component-model"] } | ||
| wasmtime = { version = "46", default-features = false, features = ["cranelift", "async", "component-model"] } |
There was a problem hiding this comment.
🔴 HIGH RISK
Updating wasmtime to 46 while keeping wasmtime-wasi at 45 will likely lead to compilation errors. These crates must be updated in sync. Additionally, the PR description mentions security fix GHSA-4ch3-9j33-3pmj which affects wasmtime-wasi; you must update wasmtime-wasi to version 46 as well to receive the fix.
Try running the following prompt in your coding agent:
Update wasmtime-wasi to version 46 in Cargo.toml to match the update of wasmtime.
There was a problem hiding this comment.
Pull Request Overview
This PR exhibits a major misalignment between its title and the provided implementation. While described as a routine dependency update (chore) for wasmtime, the changes instead introduce a new 'linting' feature for the dpp-vault service, including a new API endpoint and domain service module. The actual wasmtime requirement update is missing from the code changes.
Codacy analysis indicates the PR is currently up to standards in terms of static analysis; however, the lack of unit or integration tests for the new domain logic is a significant concern. The introduction of feature-level changes under a chore title is misleading and complicates the review and release process. It is recommended to separate these changes into appropriate PRs or update this PR to accurately reflect its scope and include the missing dependency update and test coverage.
About this PR
- There are no unit or integration tests included for the new lint handler or service module introduced in this PR.
- The PR title and description are misleading. They state a dependency update for 'wasmtime', but the diff primarily implements a new domain feature ('linting') while the dependency bump itself is missing.
Test suggestions
- Verify dependency update in Cargo.toml
- Verify the POST /dpp/{dppId}/lint endpoint successfully triggers the linting service
- Verify the lint service correctly performs advisory re-checks without blocking publishing
- Confirm that the updated create_draft call in smoke.rs correctly round-trips component references
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify dependency update in Cargo.toml
2. Verify the POST /dpp/{dppId}/lint endpoint successfully triggers the linting service
3. Verify the lint service correctly performs advisory re-checks without blocking publishing
TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback
| //! - [`query`] — read paths: `find_*`, `list`, `count`, `history` | ||
| //! - [`create`] — `create`, `update`, and their private helpers `apply_patch`/`apply_compliance` | ||
| //! - [`publish`] — `publish` and its private helpers `validate_schema_for_publish`/`build_gs1_or_fallback_url` | ||
| //! - [`lint`] — `relint` (advisory lint re-check; never blocks publish) |
There was a problem hiding this comment.
🟡 MEDIUM RISK
This new service module for 'relint' operations is out of scope for a dependency update chore.
| .route("/dpps", get(list_handler)) | ||
| .route("/dpp/{dppId}", get(read_handler).put(update_handler)) | ||
| .route("/dpp/{dppId}/publish", post(publish_handler)) | ||
| .route("/dpp/{dppId}/lint", post(lint_handler)) |
There was a problem hiding this comment.
🟡 MEDIUM RISK
The addition of the /lint route is not mentioned in the PR description. New features should be documented and ideally handled in a separate PR from dependency chores.
There was a problem hiding this comment.
Pull Request Overview
This PR is currently not up to standards due to a significant mismatch between the stated intent and the actual changes. While the PR title and description indicate an update to a specific dependency, the code change modifies a different package entirely.
The required update mentioned in the acceptance criteria is completely missing from the implementation. This discrepancy must be resolved to ensure the project's dependency history remains accurate and that the intended update is actually performed.
About this PR
- There is a significant misalignment between the PR metadata and the implementation. The code updates a different dependency than the one claimed in the title and description. This inconsistency should be addressed to maintain an accurate project history.
Test suggestions
- Verify that the dependency version is updated correctly in Cargo.toml
- Verify that the secondary dependency version is updated correctly in Cargo.toml
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify that the dependency version is updated correctly in Cargo.toml
2. Verify that the secondary dependency version is updated correctly in Cargo.toml
TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback
|
|
||
| # Integration tests | ||
| testcontainers = "0.21" | ||
| testcontainers = "0.27" |
There was a problem hiding this comment.
🔴 HIGH RISK
The implementation diverges from the PR description. This change updates a dependency that is not the one identified in the PR title. The dependency specified in the requirements remains unmodified.
Updates the requirements on wasmtime to permit the latest version.
Release notes
Sourced from wasmtime's releases.
Changelog
Sourced from wasmtime's changelog.
... (truncated)
Commits
823d1b8Release Wasmtime 46.0.1 (#13722)5ddfd5fTest and remediate ghsa-4ch3 for release-46.0.0 (#13726)b31ca92release-46.0.0: backport flaky test fix, amend release notes (#13721)311587eAdd explicit hint for generic call (#13715) (#13719)423be7aRelease Wasmtime 46.0.0 (#13696)4c582a2Properly tag inline bulk-copy loads/stores with alias regions (#13610) (#13679)559e3ca[46.0.0] More backports/bugfixes (#13668)7535c02Fix leak infd_renumber(#13649)60f0577[46.0.0] Some more backports (#13626)5d09d88feat(MachO): Cranelift: align stack prologue/epilogue with compact unwind for...