This update for tree-sitter fixes the following issues

Security issues:

- CVE-2026-34941: wasmtime: crafted input string can lead to an out-of-bound read (bsc#1261871).
- CVE-2026-34942: wasmtime: unaligned pointers can lead to a denial of service (bsc#1261894).
- CVE-2026-34943: wasmtime: lifting `flags` component value can lead to a denial of service (bsc#1261954).
- CVE-2026-34944: wasmtime: out-of-bounds read during WebAssembly compilation can lead to a denial of service
  (bsc#1261963).
- CVE-2026-34945: wasmtime: incorrectly translated table.size could lead to disclosing data (bsc#1262007).
- CVE-2026-34946: wasmtime: denial of service due to WebAssembly compilation error (bsc#1261974).
- CVE-2026-34987: wasmtime: winch compiler backend may allow a sandbox-escaping memory access (bsc#1262032).
- CVE-2026-34988: wasmtime: pooling allocator instances can cause data leakage (bsc#1261968).
- CVE-2026-35186: wasmtime: translating the table.grow operator can cause a masked return value (bsc#1262036).
- CVE-2026-35195: wasmtime: transcoding strings can lead to an out of bound write or a crash (bsc#1262040).

Changes for tree-sitter:

- update to 0.26.8:

 * fix(generate): allow disabling qjs-rt feature from CLI by @WillLillis in
 #5448
 * fix(lib): document invariants that must be upheld for TSInputEdit by
 @WillLillis in #5452
 * fix(cli): correct typo in parse command's help text by @WillLillis in #5465
 * perf(cli): misc. improvements by @tree-sitter-ci-bot[bot] in #5476
 * Fix wasm loading of languages w/ multiple reserved word sets by
 @tree-sitter-ci-bot[bot] in #5477
 * generate: avoid panicking when a supertype only has hidden external token
 children by @tree-sitter-ci-bot[bot] in #5478