RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Project: wasmCloudClear ×

wasmCloud

Orchestration & ManagementJun 30, 2026

wasmCloud v2.5.0 is a feature release centered on the wasmtime 46 upgrade with wasip3 enabled by default, alongside a breaking change to the keyvalue bucket WIT interface and a medium-severity quinn-proto security fix. The rest of the release adds new async keyvalue/blobstore interfaces, operator hardening, and various runtime and tooling fixes.

  • securityquinn-proto security fix (RUSTSEC-2026-0185)

    Applies if you build or update wasmCloud from source or run dependency scans: quinn-proto is patched for RUSTSEC-2026-0185 (medium) in this release. Upgrade to pick up the fix; no application code changes needed.

  • breakingkeyvalue bucket moved to shared types interface

    Applies if any component uses the wasmcloud:keyvalue interface: the bucket type moved out of the inline interface definition into a shared types interface. Components and providers built against the old wasmcloud:keyvalue WIT must update their bindings and regenerate code before upgrading.

  • breakingwasmtime 46 with wasip3 enabled by default

    Applies to all components running on this runtime: wasmtime is now 46 and wasip3 support is on by default. Test existing components against the new runtime before rolling out broadly, especially anything sensitive to wasip3 behavior changes.

Key changes (7)
  • Runtime upgraded to wasmtime 46 with wasip3 enabled by default, plus new wasip3 cross-component streaming via a dynamic linker
  • Breaking WIT change: wasmcloud:keyvalue bucket now shared via a types interface instead of being defined inline per interface
  • Security fix for RUSTSEC-2026-0185 in quinn-proto (medium severity)
  • New async wasmcloud:keyvalue and wasmcloud:blobstore WIT interfaces added; wasi:keyvalue, wasmcloud:postgres, and wasmcloud:messaging/consumer can now be multiplexed via (implements ..) imports
  • End-to-end operator implementation added, with the runtime-operator Helm chart linted and hardened, and operator caching fixed to use server-side apply correctly
  • wash-runtime engine config is now composable via WasmProposal, surfaced to CLI and chart; wash-runtime also fixes P3 HTTP response streaming and gRPC body cleanup on timeout
  • Several smaller fixes and tooling improvements: WIT validation for package-level refs and version-specifier removal, wash new path handling on Windows, multiline world declarations in wash wit add, ephemeral task cleanup via AbortOnDrop, and CI updates (CARGO_NET_RETRY, s390x builds, namespaced OCI WIT publishing)
Source

wasmCloud

Orchestration & ManagementJun 3, 2026

v2.3.0 ships workload env/config/secrets management in wash, wasmtime 45 upgrade with security patches, and improved OTel tracing across workloads and HTTP spans.

  • securityApply wasmtime 45 upgrade and dependency security patches immediately

    This release includes two wasmtime bumps: 44.0.2 was a targeted security patch, and 45 followed shortly after. On top of that, additional dependency security advisories were patched separately. If you're running wasmCloud in production, upgrade to v2.3.0 now rather than waiting — the cumulative security surface covered here is non-trivial.

  • enhancementScope Kubernetes RBAC to namespaces instead of cluster-wide

    The runtime.wasmcloud.dev apiGroup RBAC can now be namespaced rather than cluster-scoped. If you're running the wasmCloud operator in multi-tenant Kubernetes clusters, revisit your RBAC configuration and tighten it to namespace scope where possible. This is a meaningful security posture improvement for shared clusters.

  • enhancementStart using wash workload env/config/secrets for structured configuration

    Configuration and secrets management is now surfaced directly in the wash CLI. This is the workflow shift wasmCloud has been building toward — rather than managing config out-of-band, you can now handle env vars, config, and secrets as first-class workload concerns. Check the new otel-config example in the repo to see the intended pattern before adopting it in production.

Key changes (5)
  • wash now supports workload environment variables, config, and secrets management directly from the CLI
  • wasmtime upgraded from 44.0.2 (security patch) to 45 — two wasmtime bumps in one release cycle
  • HTTP response status codes are now recorded on request spans, making OTel traces more actionable
  • RBAC for runtime.wasmcloud.dev apiGroup can now be scoped to namespace rather than cluster-wide
  • WASI OTel RC2 integrated, and a wasip3 canary image is now built and published via CI
Source

wasmCloud

Orchestration & ManagementMay 7, 2026

wasmCloud v2.1.0 delivers operator reliability fixes, plugin support in services, and a wave of CI security hardening — a solid incremental release with a few operator-side changes worth watching.

  • securityBump wasmtime and run cargo audit in your own builds

    wasmtime was bumped alongside the removal of rustls-pemfile and the addition of cargo audit to the build pipeline. If you build wasmCloud components from source or maintain forks, add cargo audit to your own CI now. The dependency surface for WASM runtimes shifts fast, and catching advisories early matters.

  • breakingOperator readiness behavior changed — review your health checks

    The operator now only marks WorkloadDeployment as Ready when replicas are actually available. If your CI/CD pipelines or monitoring poll readiness status, they'll behave more correctly — but any tooling that relied on the previous optimistic Ready state may see deployments appear 'stuck' longer. Validate your rollout timeout thresholds after upgrading.

  • enhancementPlugin support in services opens new extension patterns

    Services now support plugins, which means you can attach custom behavior at the service layer without forking core components. If you've been waiting to extend service behavior in a maintainable way, this is the release to experiment with. Start by reviewing the updated service plugin API in the docs before designing new integrations.

Key changes (5)
  • WorkloadDeployment readiness now gates on actual replica availability, fixing misleading 'Ready' states in the operator
  • NATS subscription workload readiness fixed — previously reported ready before subscriptions were actually established
  • Plugin support added to services, expanding extensibility for service-layer customization
  • wasmtime bumped and cargo audit added for ongoing supply chain security hygiene
  • OpenSSF Scorecard and CodeQL workflows added to CI, alongside broader zizmor-based hardening
Source

wasmCloud

Orchestration & ManagementMay 5, 2026

A maintenance release focused on operator reliability, security hardening, and CI improvements. Key fixes address NATS workload readiness and Kubernetes operator deployment status accuracy.

  • securityWasmtime bump + cargo audit added — review your own Wasm supply chain

    This release bumps wasmtime and drops rustls-pemfile, while adding cargo audit to CI. If you're building custom wasmCloud components or providers in Rust, add cargo audit to your own pipelines now. The removal of rustls-pemfile suggests a dependency consolidation — check if any of your code directly imports it and update accordingly.

  • breakingOperator WorkloadDeployment readiness semantics changed

    The Ready condition on WorkloadDeployment now reflects actual replica availability rather than just the existence of the deployment. Any automation or health checks that relied on Ready=True firing quickly after deployment creation will now correctly wait for replicas to be up. Review any CD pipelines or readiness probes that poll WorkloadDeployment status — they should now behave more accurately, but may appear 'slower' to reach Ready.

  • enhancementNATS subscription readiness fix reduces false-positive healthy states

    Previously, hosts could report as ready before NATS subscriptions were actually established. After this fix, readiness is tied to actual subscription availability. If you're running wasmCloud in Kubernetes and using readiness gates or traffic routing based on host health, upgrade to get accurate readiness signals and avoid routing traffic to hosts that aren't yet fully connected.

Key changes (5)
  • Fixed NATS subscription workload readiness checks — hosts now correctly report ready state based on actual NATS sub availability
  • Kubernetes operator WorkloadDeployment Ready status now gates on actual replica availability, not just deployment creation
  • Bumped wasmtime, dropped rustls-pemfile, and added cargo audit to the build pipeline for supply chain security
  • HTTP router now returns typed RouteError with accurate HTTP status codes instead of generic errors
  • Upgraded async-nats to 0.47 and Go to 1.26 across the codebase
Source

wasmCloud

Orchestration & ManagementMay 1, 2026

A maintenance release focused on operator reliability, NATS subscription readiness, and security dependency bumps — no API changes, but a few fixes matter in production.

  • securityUpgrade to pick up wasmtime security bump and new audit pipeline

    wasmtime was bumped and rustls-pemfile was removed as a dependency in this release. cargo audit has also been wired into CI, meaning future vulnerabilities in the dependency tree will be caught earlier. If you're running 2.0.5 or earlier, upgrade now — there's no reason to stay on an older wasmtime in a Wasm runtime.

  • breakingOperator readiness behavior changed — review your health checks and rollout strategies

    WorkloadDeployment Ready status is now gated on replica availability, not just the existence of a deployment object. If your CI/CD pipelines or monitoring systems check for the Ready condition to gate traffic or proceed with rollouts, they'll now see a more accurate (and potentially longer) 'not ready' window. Verify your rollout wait conditions and alerting thresholds won't false-alarm during normal startup.

  • enhancementNATS subscription readiness fix — relevant if you've seen premature ready signals

    The fix for NATS subscription workload readiness means the host now correctly waits before reporting ready. If you've dealt with race conditions at startup where components tried to subscribe before NATS connections were fully established, this should resolve those. No config changes needed — just upgrade and validate your startup sequence behaves as expected.

Key changes (5)
  • HTTP routing now returns typed RouteError with accurate HTTP status codes instead of generic errors
  • Operator WorkloadDeployment readiness is now gated on actual replica availability, not just deployment creation
  • Fixed workload readiness detection for NATS subscriptions — previously could report ready prematurely
  • wasmtime bumped, rustls-pemfile dropped, and cargo audit added to the CI pipeline for ongoing vulnerability scanning
  • async-nats upgraded to 0.47 and Go runtime upgraded to 1.26
Source

wasmCloud

Orchestration & ManagementApr 24, 2026

Patch release upgrading to Wasmtime 44 and fixing a pooling allocator crash, plus new glibc builds for GPU workloads on Linux.

  • securityUpgrade if you hit pooling allocator crashes — the fix prevents silent failures

    The pooling allocator was being enabled without checking whether the host hardware actually supports it, which could cause runtime crashes or unpredictable memory behavior. If you've seen wash-runtime instability on certain host types, this fix directly addresses that. Upgrade and monitor memory allocation behavior post-deploy.

  • breakingTest Wasmtime 44 upgrade in staging before rolling to production

    Wasmtime 44 is a major version bump for the underlying runtime. While wasmCloud wraps it, Wasmtime releases frequently carry behavior changes in memory handling, WASI interfaces, or component model semantics. Validate your component workloads in a non-production environment before upgrading clusters.

  • enhancementGPU workloads on Linux now have proper glibc builds — start testing if relevant

    If you're running or planning wasmCloud workloads that touch GPU features on Linux, the new glibc builds resolve compatibility issues with standard Linux distributions that expect dynamically linked runtimes. Pull the new artifacts and validate against your target GPU host environment.

Key changes (4)
  • Wasmtime runtime upgraded to version 44
  • Pooling allocator is now probed for hardware support before being enabled, preventing crashes on unsupported systems
  • New glibc-linked builds added for Linux systems requiring GPU feature support
  • Minor patch with no API or configuration breaking changes
Source

wasmCloud

Orchestration & ManagementApr 14, 2026

v2.0.3 patches a NATS race condition, adds Kubernetes EndpointSlice support, hardens container security with non-root ownership, and expands Helm chart configurability.

  • securityUpgrade now: containers finally run as non-root by default

    Previous releases ran with root ownership, which is a container security red flag. This release sets non-root ownership by default. If you have volume mounts or init containers with root-dependent file permissions, test before rolling to production — you may need to adjust fsGroup or runAsUser settings in your pod specs.

  • breakingHelm chart image tag behavior changed — audit your values files

    The default image tag no longer falls back to a hardcoded value; it now uses the chart's appVersion. If you rely on overriding the tag in your values files, this likely works as-is. But if you were depending on the old default tag behavior for pinning, verify your deployed image versions after upgrading the chart.

  • enhancementEnable EndpointSlice support if running Kubernetes 1.21+

    EndpointSlice is the modern replacement for Endpoints and scales better with large service backends. If your cluster runs Kubernetes 1.21 or later, enable this feature — it reduces load on kube-apiserver and avoids the scaling limits of the classic Endpoints API. Check your Helm values for the new endpointslice configuration option.

Key changes (6)
  • Fixed a race condition in NATS subscriber initialization that could cause intermittent connection failures
  • Added Kubernetes EndpointSlice support for services — required for clusters with large service backends
  • Container ownership set to non-root, improving security posture out of the box
  • Helm chart now supports TLS configuration, custom annotations, and labels
  • Helm chart default image tag now derives from chart.yaml appVersion instead of a hardcoded value
  • WASIp3 support added behind a feature flag — experimental, not for production use yet
Source

wasmCloud

Orchestration & ManagementMar 22, 2026

wasmCloud v2.0.0 is the stable release of the v2 runtime, bringing HTTP/2+gRPC support, OpenTelemetry metrics, wasmtime 42, and a security fix for RUSTSEC-2026-0007.

  • securityPatch RUSTSEC-2026-0007 by upgrading immediately

    The lock file was updated to address RUSTSEC-2026-0007. If you're running any pre-v2.0.0 build, treat this as a mandatory upgrade. Check your supply chain tooling (cargo-audit, Dependabot) to confirm the vulnerable dependency is resolved in your environment.

  • breakingHelm users: CRD path changed, update your GitOps pipelines

    CRDs were moved from templates/crds to a top-level /crds directory. This is a structural change that will break ArgoCD, Flux, or any Helm-based GitOps pipeline that references the old path. Before upgrading, verify your Helm release and CI/CD tooling point to the new CRD location.

  • enhancementEnable metrics now — observability is first-class in v2

    OpenTelemetry metrics support is included out of the box. If you're already running an OTEL collector, wire up wasmCloud v2 to it and start collecting runtime metrics. This is the right time to establish baseline dashboards before rolling this to production, not after.

Key changes (6)
  • HTTP/2 and gRPC transport support added to the runtime
  • OpenTelemetry metrics support integrated for observability
  • Upgraded to wasmtime 42, the latest WebAssembly runtime engine
  • Security fix: lock file updated to address RUSTSEC-2026-0007
  • Helm chart CRDs moved from templates/crds to /crds directory — affects Helm deployments
  • wash CLI modernized to clap v4 idioms with improved help output
Source