yara-x: cherry-pick upgrade of wasmtime to fix CVE-2026-35195 (#72424)

brianmcarey · brianmcarey · commit 3e79e047bb61 · 2026-04-22T14:50:44.000+01:00
Signed-off-by: Brian Carey &lt;brian.carey@chainguard.dev&gt;

Export:  9f15f820c8d3ee67551d3957ab683339abd7e944
diff --git a/yara-x.yaml b/yara-x.yaml
@@ -1,7 +1,7 @@
 package:
   name: yara-x
   version: "1.15.0"
-  epoch: 1
+  epoch: 2 # GHSA-394w-hwhg-8vgm
   description: "A rewrite of YARA in Rust."
   copyright:
     - license: BSD-3-Clause
@@ -28,10 +28,8 @@ pipeline:
       repository: https://github.com/VirusTotal/yara-x
       expected-commit: 71e1b4e0d9ca5a050d98a8db5ef3788d5ff00e36
       tag: v${{package.version}}
-
-  - uses: rust/cargobump
-    with:
-      packages: wasmtime@40.0.4
+      cherry-picks: |
+        main/178e2d697a88f6d8fc7a2fc0bc8c1b70af0d71b4: upgrade wasmtime to 43.0.1 (fixes GHSA-394w-hwhg-8vgm and 11 related CVEs)
 
   - name: Build base yara tool
     uses: cargo/build
