zed/0.212.5-r0: cve remediation

[octo-sts]

zed/0.212.5-r0: fix GHSA-hc7m-r6v8-hg9q

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/zed.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

🔢 Build Failed: Dependency Version Mismatch

failed to select a version for the requirement wasmtime = "^29" candidate versions found which didn't match: 36.0.3 location searched: crates.io index required by package extension_host v0.1.0 (/home/build/crates/extension_host)

Build Details

Category	Details
Build System	cargo/rust
Failure Point	rust/cargobump step during dependency version update

Root Cause Analysis 🔍

The cargobump tool attempted to update the wasmtime dependency from version 29.0.1 to 36.0.3, but the extension_host package has a dependency constraint that requires wasmtime version ^29 (compatible with 29.x.x). Version 36.0.3 is a major version increment that breaks compatibility with the ^29 constraint, causing cargo to fail to resolve dependencies.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: Cargo.toml (in extension_host crate)

• version_constraint_update at line N/A (location depends on exact Cargo.toml structure) (dependencies section)
  Original:

wasmtime = "^29"

Replacement:

wasmtime = "^36"

Content:

Update the wasmtime dependency constraint to accept version 36.x.x

Click to expand fix analysis

Analysis

No similar build failures were provided for analysis, but the error is clear: the cargobump step attempted to update wasmtime from version 29.0.1 to 36.0.3, but the extension_host package has a dependency constraint requiring wasmtime version ^29 (compatible with 29.x.x only). Version 36.0.3 represents a major version bump that breaks semver compatibility with the ^29 constraint, causing cargo dependency resolution to fail.

Click to expand fix explanation

Explanation

The root cause is a semver compatibility issue where the cargobump tool updated wasmtime to version 36.0.3, but the extension_host package still has a dependency constraint of ^29, which only allows versions 29.x.x. The fix involves updating the version constraint in the extension_host package's Cargo.toml to ^36, which will allow wasmtime 36.x.x versions. This is a standard approach for handling major version updates in Rust dependencies. Since wasmtime 36 represents a major version bump from 29, there may be breaking API changes that require code updates in extension_host, but the constraint update is the first necessary step to resolve the dependency resolution failure.

Click to expand alternative approaches

Alternative Approaches

• Pin wasmtime to a specific 29.x.x version (e.g., wasmtime = "=29.0.1") to avoid the major version update, but this goes against Wolfi's principle of keeping packages up to date
• Downgrade wasmtime back to 29.x.x in the cargobump process, but this also contradicts the goal of staying current with upstream releases
• Update the dependency constraint to a more flexible range like wasmtime = ">=29, <37" to allow both versions during transition, though this may cause confusion about which version is actually being used

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.