Skip to content

chore: ignore wasmtime SBOM vulnerabilities from polkadot-sdk#1295

Merged
NachoPal merged 4 commits into
mainfrom
nacho/ignore-wasmtime
Apr 10, 2026
Merged

chore: ignore wasmtime SBOM vulnerabilities from polkadot-sdk#1295
NachoPal merged 4 commits into
mainfrom
nacho/ignore-wasmtime

Conversation

@NachoPal

@NachoPal NachoPal commented Apr 10, 2026
edited by ozgb
Loading

Copy link
Copy Markdown
Contributor

Overview

The SBOM vulnerability scan (sbom-scan-image.yml) fails on a critical wasmtime CVE (GHSA-jhxm-h53p-jm7w). wasmtime 35.0.0 is a transitive dependency from polkadot-sdk (polkadot-stable2509) via sc-executor-wasmtime and cannot be bumped independently — it requires upgrading the entire polkadot-sdk (it is locked to 35.0.0 in the latest available version)

After checking the advisory description, we've confirmed that this does not affect the node/polkadot-sdk, so can be safely ignored.

🗹 TODO before merging

  • Ready

📌 Submission Checklist

  • Changes are backward-compatible (or flagged if breaking)
  • Pull request description explains why the change is needed
  • Self-reviewed the diff
  • I have included a change file, or skipped for this reason:
  • If the changes introduce a new feature, I have bumped the node minor version
  • Update documentation (if relevant)
  • Updated AGENTS.md if build commands, architecture, or workflows changed
  • No new todos introduced

🧪 Testing Evidence

Please describe any additional testing aside from CI:

  • Additional tests are provided (if possible)

🔱 Fork Strategy

  • Node Runtime Update
  • Node Client Update
  • Other:
  • N/A

Links

@NachoPal NachoPal requested a review from a team as a code owner April 10, 2026 10:02
@NachoPal NachoPal enabled auto-merge April 10, 2026 10:36
@jacek-kurkowski-shielded jacek-kurkowski-shielded mentioned this pull request Apr 10, 2026
Merged
14 tasks
@NachoPal NachoPal added this pull request to the merge queue Apr 10, 2026
Merged via the queue into main with commit 74a95f8 Apr 10, 2026
31 checks passed
@NachoPal NachoPal deleted the nacho/ignore-wasmtime branch April 10, 2026 12:12
m2ux added a commit that referenced this pull request Apr 23, 2026
@m2ux @ozgb
chore: ignore wasmtime SBOM vulnerabilities from polkadot-sdk (#1295)
414719c 
* ignore wasmtime

* chore: update security advistory ignores

* chore: npm audit fix

---------

Co-authored-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
Signed-off-by: Mike Clay <mike.clay@shielded.io>
m2ux added a commit that referenced this pull request Apr 23, 2026
@m2ux @ozgb
chore: ignore wasmtime SBOM vulnerabilities from polkadot-sdk (#1295)
7611862 
* ignore wasmtime

* chore: update security advistory ignores

* chore: npm audit fix

---------

Co-authored-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
Signed-off-by: Mike Clay <mike.clay@shielded.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gilescope gilescope gilescope approved these changes

@ozgb ozgb ozgb approved these changes

Assignees

No one assigned

Labels

skip-changes-check-all

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@NachoPal @gilescope @ozgb