From e75778c5109df53f448a66c4186ec730e4b98914 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts@users.noreply.github.com>
Date: Tue, 10 Dec 2024 14:08:12 +0000
Subject: [PATCH 1/2] wasmtime/27.0.0-r0: fix GHSA-h97m-ww89-6jmq

---
 wasmtime.yaml                | 4 +++-
 wasmtime/cargobump-deps.yaml | 3 +++
 2 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 wasmtime/cargobump-deps.yaml

diff --git a/wasmtime.yaml b/wasmtime.yaml
index d4a27bc757c..ec899f2ac38 100644
--- a/wasmtime.yaml
+++ b/wasmtime.yaml
@@ -1,7 +1,7 @@
 package:
   name: wasmtime
   version: 27.0.0
-  epoch: 0
+  epoch: 1
   description: "A fast and secure runtime for WebAssembly"
   copyright:
     - license: Apache-2.0
@@ -25,6 +25,8 @@ pipeline:
       tag: v${{package.version}}
       expected-commit: 8eefa236f8ef0cc766977e0c0cbb0d602132dfa4
 
+  - uses: rust/cargobump
+
   - name: Configure and build
     runs: |
       git submodule update --init
diff --git a/wasmtime/cargobump-deps.yaml b/wasmtime/cargobump-deps.yaml
new file mode 100644
index 00000000000..9d6748d08d2
--- /dev/null
+++ b/wasmtime/cargobump-deps.yaml
@@ -0,0 +1,3 @@
+packages:
+    - name: idna
+      version: 1.0.0

From 7f3a4db31fbc06fd2c8e707a31d4feda4800b18b Mon Sep 17 00:00:00 2001
From: Hunter Harris <hunter.harris@chainguard.dev>
Date: Mon, 6 Jan 2025 15:28:34 -0500
Subject: [PATCH 2/2] Updated url package to allow newer version of idna to fix
 CVE

---
 wasmtime/cargobump-deps.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/wasmtime/cargobump-deps.yaml b/wasmtime/cargobump-deps.yaml
index 9d6748d08d2..99c78794363 100644
--- a/wasmtime/cargobump-deps.yaml
+++ b/wasmtime/cargobump-deps.yaml
@@ -1,3 +1,4 @@
 packages:
-    - name: idna
-      version: 1.0.0
+  # Newer version of url pulls in newer version of idna necesary to fix GHSA-h97m-ww89-6jmq CVE
+  - name: url
+    version: 2.5.4