Skip to content

deps(rust): update typst-kit requirement from 0.14 to 0.15 in /native/typst-ffi#8

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/native/typst-ffi/typst-kit-0.15
Open

deps(rust): update typst-kit requirement from 0.14 to 0.15 in /native/typst-ffi#8
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/native/typst-ffi/typst-kit-0.15

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 16, 2026

Copy link
Copy Markdown
Contributor

Updates the requirements on typst-kit to permit the latest version.

Release notes

Sourced from typst-kit's releases.

Version 0.14.2 (December 12, 2025)

View changelog with links into the documentation on typst.app/docs

Security

  • Updated the WebAssembly runtime used for executing plugins. The version used in Typst 0.14.0 and 0.14.1 suffers from a memory handling vulnerability. Based on our investigation, the vulnerability would be very hard to exploit in practice, but an exploit could theoretically be feasible. In any case, we recommend upgrading to Typst 0.14.2. This holds in particular for local users. In the web app, the bug is not critical as the browser offers an extra layer of protection.

    Typst 0.13.1 and below are not affected by this vulnerability.

    Technical details: The wasmi WebAssembly runtime versions used in 0.14.0 and 0.14.1 have a use-after-free memory handling bug in certain memory growth situations. Specifically, the bug occurs when the plugin tries to grow its memory, but allocating the requested amount of memory fails. Based on our investigation, the bug is hard to trigger in practice as the WebAssembly linear memory is always limited to 4GB on a technical level and modern operating systems rarely fail to serve a 4GB memory allocation request (typically not even under RAM pressure). Once the bug is triggered, it would also still be very challenging to turn it into an actual exploit. Regardless, we recommend upgrading to Typst 0.14.2 for protection against a potential exploit.

Diagnostics

  • Added a hint when array.sorted fails because a pair of elements could not be compared. This hint aids with fixing bugs in user code that were surfaced by a change in internal sorting behavior in Typst 0.14.1.

Contributors

Thanks to everyone who contributed to this release: @​Andrew15-5, @​cady-b, @​ecstrema, @​saecki, @​ultimatile.

Commits

@dependabot @github

dependabot Bot commented on behalf of github Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: dependencies, rust. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Updates the requirements on [typst-kit](https://github.com/typst/typst) to permit the latest version.
- [Release notes](https://github.com/typst/typst/releases)
- [Commits](typst/typst@v0.14.0...v0.14.2)

---
updated-dependencies:
- dependency-name: typst-kit
  dependency-version: 0.14.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/cargo/native/typst-ffi/typst-kit-0.15 branch from bddadaa to d6e3b92 Compare June 27, 2026 15:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants