Bump the wasmtime group with 2 updates

[dependabot]

Updates the requirements on wasmtime and wasmtime-wasi to permit the latest version.
Updates wasmtime to 40.0.4

Release notes

Sourced from wasmtime's releases.

v40.0.4

40.0.4

Released 2026-02-24.

Changed

• Wasmtime's implementation of WASI now has the ability to limit resource consumption on behalf of the guest, such as host-allocated memory. This means that some behaviors previously allowed by Wasmtime can now disallowed, such as transferring excessive data from the guest to the host. Additionally calls to wasi:random/random.get-random-bytes, for example, can have limits in place to avoid allocating too much memory on the host. To preserve backwards-compatible behavior these limits are NOT set by default. Embedders must opt-in to configuring these knobs as appropriate for their embeddings. For more information on this see the related security advisory with further details on knobs added and what behaviors can be restricted. GHSA-852m-cvvp-9p4w

Fixed

• Panics when adding too many headers to a wasi:http/types.fields has been resolved GHSA-243v-98vx-264h

• Panic when dropping a [Typed]Func::call_async future. GHSA-xjhv-v822-pf94

Changelog

Sourced from wasmtime's changelog.

40.0.4

Released 2026-02-24.

Changed

• Wasmtime's implementation of WASI now has the ability to limit resource consumption on behalf of the guest, such as host-allocated memory. This means that some behaviors previously allowed by Wasmtime can now disallowed, such as transferring excessive data from the guest to the host. Additionally calls to wasi:random/random.get-random-bytes, for example, can have limits in place to avoid allocating too much memory on the host. To preserve backwards-compatible behavior these limits are NOT set by default. Embedders must opt-in to configuring these knobs as appropriate for their embeddings. For more information on this see the related security advisory with further details on knobs added and what behaviors can be restricted. GHSA-852m-cvvp-9p4w

Fixed

• Panics when adding too many headers to a wasi:http/types.fields has been resolved GHSA-243v-98vx-264h

• Panic when dropping a [Typed]Func::call_async future. GHSA-xjhv-v822-pf94

---

40.0.3

Released 2026-01-26.

Fixed

• Fixed a bug in lowering of f64.copysign on x86-64 whereby when combined with an f64.load, the resulting machine code could read 16 bytes rather than 8 bytes. This could result in a segfault when Wasmtime is configured without signals-based traps.

---

40.0.2

Released 2026-01-14.

Fixed

• A possible stack overflow in the x64 backend with cmp emission has been fixed.

... (truncated)

Commits

• dc38c5b Release Wasmtime 40.0.4 (#12655)
• 9e51c0d [40.0.x] Backport fixes for security advisories (#12649)
• 9d52979 Switch back to emulation of s390x tests (#12493)
• 390241f Release Wasmtime 40.0.3 (#12433)
• 728fa07 [40.0] Backport Cranelift: x64: fix incorrect load-sinking in copysign oper...
• bb9ef67 Release Wasmtime 40.0.2 (#12346)
• f5728ae [40.0.x] Backport a few codegen fixes (#12345)
• 27a0a94 Cranelift: x64: fix user-controlled recursion in cmp emission. (#12333) (#12341)
• 918e5dc Release Wasmtime 40.0.1 (#12271)
• 01cc1c0 Migrate this workspace to using trusted publishing (#12257) (#12265)
• Additional commits viewable in compare view

Updates wasmtime-wasi to 36.0.7

Release notes

Sourced from wasmtime-wasi's releases.

v36.0.7

36.0.7

Released 2026-04-09.

Fixed

• Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift. GHSA-jhxm-h53p-jm7w

• Wasmtime with Winch compiler backend may allow a sandbox-escaping memory access. GHSA-xx5w-cvp6-jv83

• Out-of-bounds write or crash when transcoding component model strings. GHSA-394w-hwhg-8vgm

• Host panic when Winch compiler executes table.fill. GHSA-q49f-xg75-m9xw

• Wasmtime segfault or unused out-of-sandbox load with f64x2.splat operator on x86-64. GHSA-qqfj-4vcm-26hv

• Improperly masked return value from table.grow with Winch compiler backend. GHSA-f984-pcp8-v2p7

• Panic when transcoding misaligned utf-16 strings. GHSA-jxhv-7h78-9775

• Panic when lifting flags component value. GHSA-m758-wjhj-p3jq

• Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding. GHSA-hx6p-xpx3-jvvv

• Data leakage between pooling allocator instances. GHSA-6wgr-89rj-399p

• Host data leakage with 64-bit tables and Winch. GHSA-m9w2-8782-2946

Changelog

Sourced from wasmtime-wasi's changelog.

36.0.7

Released 2026-04-09.

Fixed

• Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift. GHSA-jhxm-h53p-jm7w

• Wasmtime with Winch compiler backend may allow a sandbox-escaping memory access. GHSA-xx5w-cvp6-jv83

• Out-of-bounds write or crash when transcoding component model strings. GHSA-394w-hwhg-8vgm

• Host panic when Winch compiler executes table.fill. GHSA-q49f-xg75-m9xw

• Wasmtime segfault or unused out-of-sandbox load with f64x2.splat operator on x86-64. GHSA-qqfj-4vcm-26hv

• Improperly masked return value from table.grow with Winch compiler backend. GHSA-f984-pcp8-v2p7

• Panic when transcoding misaligned utf-16 strings. GHSA-jxhv-7h78-9775

• Panic when lifting flags component value. GHSA-m758-wjhj-p3jq

• Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding. GHSA-hx6p-xpx3-jvvv

• Data leakage between pooling allocator instances. GHSA-6wgr-89rj-399p

• Host data leakage with 64-bit tables and Winch. GHSA-m9w2-8782-2946

---

36.0.6

Released 2026-02-24.

Changed

• Wasmtime's implementation of WASI now has the ability to limit resource

... (truncated)

Commits

• 0953908 Release Wasmtime 36.0.7 (#12999)
• 7c9130b [36.0.x] Combined backports for a 36.0.7 release (#13003)
• f2054e0 Release Wasmtime 36.0.6 (#12656)
• 48b427b [36.0.x] Backport fixes for security advisories (#12648)
• 06ef143 Release Wasmtime 36.0.5 (#12432)
• ac92d9b [36.0] Backport Cranelift: x64: fix incorrect load-sinking in copysign oper...
• 0489f91 Release Wasmtime 36.0.4 (#12348)
• 5c1a5f6 Cranelift: x64: fix user-controlled recursion in cmp emission. (#12333) (#12338)
• 8c97ae8 Migrate this workspace to using trusted publishing (#12257) (#12280)
• 17d037f Release Wasmtime 36.0.3 (#12023)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions