chore(audit): allow RUSTSEC-2026-0114 (wasmtime panic) — unblocks 2026-05-01 CI#1242
Merged
Conversation
New advisory published 2026-04-30 against wasmtime 43.0.1 — table allocation panic when exceeding the host's address space. Severity 5.9 (medium). Surfaced as a CI failure on every PR opened on 2026-05-01 (blocked all in-flight work). Same handling as the existing wasmtime advisory cluster (RUSTSEC-2026-0085/0086/0088/0089/0091/0092/0094/0096): - test-only dep (aprender-test-lib), not production - availability bug (panic), not RCE / memory safety - upgrade path: >=43.0.2 / >=44.0.1 — same path as the other 8 Both .cargo/audit.toml and deny.toml updated to keep them in sync per "Mirrors deny.toml ignore list for consistency" comment in audit.toml. This unblocks the entire 2026-05-01 PR queue including the M32d discharge stack (#1222 #1226 #1228 #1232 #1238). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
noahgift
added a commit
that referenced
this pull request
May 2, 2026
…d discharge audit-trail bump (#1078) Source-of-truth bytes pushed by the companion repo. M22 paired-mirror guard via pin.lock (sha256 byte-identity, will be refreshed in companion PR). Net change: bumps top-level contract YAML from v1.22.0 to v1.23.0 with one new status_history entry (M35) recording M32d's functional discharge on aprender main as commit 5235aae (#1228 squash). What M35 records ================ M32d numerical-parity bundle landed across multiple aprender PRs: #1222 (Step 2) forward_qwen3_moe_traced diagnostic surface #1226 (Step 2.5) `apr trace --payload` qwen3_moe dispatch (squashed into #1222) #1242 RUSTSEC-2026-0114 audit unblocker #1401 (Step 2 JSON) `apr trace --json --payload` JSON output (FAST PATH Step 2 exit-criterion shape) #1228 (THE BUNDLE) Step 5 + 5b + 6 + 7 + regression test + evidence — squashed into one commit on main: - per-head Q/K RMSNorm in forward_qwen3_moe (rank-3 prior, 15%) - rope_theta 10K → 1M for qwen3_moe (rank-4 prior, 10%) - chat template: qwen3_moe → ChatML (no `<think>` injection) - sync forward_qwen3_moe_traced with Step 5 - F-QW3-MOE-STEP5-001 regression test - evidence/m32d-discharge-2026-05-01/ Live evidence on lambda-vector RTX 4090 against the 17.3 GB Qwen3-Coder-30B-A3B-Instruct-Q4_K_M.gguf: $ apr run --prompt "What is 2+2?" --max-tokens 8 Output: 2 + 2 = 4 $ apr run --prompt "Capital of France:" --max-tokens 30 Output: The capital of France is Paris. $ apr run --prompt "Translate to Spanish: Hello world" --max-tokens 30 Output: ¡Hola mundo! $ apr run --prompt "Solve x^2 - 5x + 6 = 0:" --max-tokens 30 Output: I need to solve the quadratic equation x² - 5x + 6 = 0. I can solve this by factoring. Output transition timeline: pre-fix "%%%%%%%%" + Step 5 "Human: What is 2+" + Step 5b "Human: What is 2+2?" + Step 6 "2 + 2 = 4" M34 FAST PATH actual cost: 5 PRs / ~6 hours wall — **lucky-case bound** of the 4-6 PRs / 2-3 days estimate. What M35 does NOT discharge ============================ - Cosine vs HF FP16 measurement (operator-confirm — ~60 GB download). The formal flip of `qwen3-moe-forward-v1` v1.3.0 DRAFT → v1.4.0 ACTIVE_RUNTIME waits on that measurement. - GPU MoE path (no forward_qwen3_moe_gpu; CUDA/wgpu kernels TBD). - Other Qwen3-MoE variants. Refs aprender commit 5235aae (#1228) Refs companion M34 (v1.21.0 → v1.22.0 plan) Refs PMAT-CCPA-PARITY-001 Refs M22 paired-mirror invariant Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
New RustSec advisory
RUSTSEC-2026-0114(published 2026-04-30) flags wasmtime 43.0.1 for a table allocation panic. Severity 5.9 (medium). Surfaced asci / security: FAILUREon every PR opened on 2026-05-01 — blocks the entire current PR queue including the M32d discharge stack (#1222 #1226 #1228 #1232 #1238).Triage
Same handling as the existing wasmtime advisory cluster (RUSTSEC-2026-0085/0086/0088/0089/0091/0092/0094/0096):
aprender-test-lib), not productionAdding to ignore list with the same justification keeps consistency with the existing cluster.
Files
.cargo/audit.toml— addsRUSTSEC-2026-0114after the existing wasmtime clusterdeny.toml— adds matching entry per "Mirrors deny.toml ignore list for consistency" commentTest plan
cargo deny check advisories 2>&1 | grep -c RUSTSECproduces same countRefs
🤖 Generated with Claude Code