This update for tree-sitter fixes the following issues

Security issues:

• CVE-2026-34941: wasmtime: crafted input string can lead to an out-of-bound read (bsc#1261871).
• CVE-2026-34942: wasmtime: unaligned pointers can lead to a denial of service (bsc#1261894).
• CVE-2026-34943: wasmtime: lifting flags component value can lead to a denial of service (bsc#1261954).
• CVE-2026-34944: wasmtime: out-of-bounds read during WebAssembly compilation can lead to a denial of service (bsc#1261963).
• CVE-2026-34945: wasmtime: incorrectly translated table.size could lead to disclosing data (bsc#1262007).
• CVE-2026-34946: wasmtime: denial of service due to WebAssembly compilation error (bsc#1261974).
• CVE-2026-34987: wasmtime: winch compiler backend may allow a sandbox-escaping memory access (bsc#1262032).
• CVE-2026-34988: wasmtime: pooling allocator instances can cause data leakage (bsc#1261968).
• CVE-2026-35186: wasmtime: translating the table.grow operator can cause a masked return value (bsc#1262036).
• CVE-2026-35195: wasmtime: transcoding strings can lead to an out of bound write or a crash (bsc#1262040).

Changes for tree-sitter:

• update to 0.26.8:

  • fix(generate): allow disabling qjs-rt feature from CLI by @WillLillis in

    5448

  • fix(lib): document invariants that must be upheld for TSInputEdit by @WillLillis in #5452

  • fix(cli): correct typo in parse command's help text by @WillLillis in #5465
  • perf(cli): misc. improvements by @tree-sitter-ci-bot[bot] in #5476
  • Fix wasm loading of languages w/ multiple reserved word sets by @tree-sitter-ci-bot[bot] in #5477
  • generate: avoid panicking when a supertype only has hidden external token children by @tree-sitter-ci-bot[bot] in #5478