Reduce directly owned Rust advisory exposure#2
Merged
Conversation
The workspace still inherits unresolved Linux desktop advisories through the current Tauri stack, but the lockfile can still be tightened for the dependency branches this repo directly owns. Move the reqwest/quinn path onto rand 0.9.3 and refresh rustls-webpki so the remaining Dependabot triage is limited to upstream Tauri debt instead of stale local lockfile state. Constraint: Current compatible Tauri Linux releases still resolve glib 0.18.x and tauri-utils rand copies Rejected: Fork tauri-utils or replace Tauri for alert triage | too broad for this maintenance task Confidence: medium Scope-risk: narrow Reversibility: clean Directive: Revisit the dismissed GitHub alerts when Tauri publishes Linux stack updates for glib and rand advisories Tested: cargo test --workspace; cargo audit; GitHub Dependabot open-alert query Not-tested: packaged desktop runtime smoke test after the lockfile refresh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Cargo.lockto move the directly ownedreqwest/quinnbranch ontorand 0.9.3rustls-webpkito0.103.12Why
The lockfile still carried directly owned Rust dependency versions that could be tightened safely, even though the remaining Linux desktop advisories are inherited from the current upstream Tauri stack.
Impact
This narrows the advisory surface we own directly while keeping the workspace behavior unchanged. The remaining
glibandtauri-utilsadvisory exposure still depends on upstream Tauri releases.Validation
cargo test --workspacecargo audit[]after triage