Skip to content

chore(cargo)(deps): bump victauri-test from 0.8.4 to 0.8.5 in /src-tauri#229

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/src-tauri/victauri-test-0.8.5
Open

chore(cargo)(deps): bump victauri-test from 0.8.4 to 0.8.5 in /src-tauri#229
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/src-tauri/victauri-test-0.8.5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps victauri-test from 0.8.4 to 0.8.5.

Release notes

Sourced from victauri-test's releases.

v0.8.5

  • Harden 0.8.5 release readiness (#40) (6cc2d5b)
  • harden: pre-empt adversarial audit — close 11 verified Low/Med findings (no API change) (#39) (0243cc3)
  • release: 0.8.5 — docs correctness + honesty pass + victauri check tool-count fix (#38) (e6088ce)
  • fix(compat): clean 3-app green run + harness hardening (inject/diagnostics/window-show) (#37) (2b548a5)
  • fix: honest compat claim + compat-matrix drift + victauri check tool count (#36) (ccee316)
  • chore(vscode): bump extension to 0.8.4 (version-sync with 0.8.4 release) (#35) (21e52ae)
Changelog

Sourced from victauri-test's changelog.

[0.8.5] - 2026-06-20

A "fix all known issues before release" pass: ships the victauri check tool-count fix that landed after 0.8.4 was cut, plus a thorough documentation correctness + honesty sweep (two audit agents, every finding verified against the live code). No public Rust API change.

Fixed

  • victauri check no longer prints Tools: ?. get_plugin_info reports the tool count nested at tools.total, but cmd_check read a flat tool_count / bare-numeric tools — both miss, so it always showed ?. Extracted a tested parse_tool_count (reads tools.total, with the legacy shapes as fallbacks); 2 unit tests. (Crates: victauri-cli.)
  • Documentation code examples that would panic or not compile. mdbook examples aren't doctested, so several had drifted from the API:
    • Panicking: detect_ghost_commands results were indexed by non-existent keys (ghost_commands, ghosts) then .as_array().unwrap() — corrected to confirmed_ghosts (README, testing.md, testing-tauri-apps.md).
    • Won't compile: eval_js REST param expressioncode; the standalone assert_json_* helpers are synchronous and take &Value (were shown as awaited client methods); assert_windows_exist() takes no args; assert_dom_complete_under takes a Duration; smoke_test() / smoke_test_with_config(cfg) arity, SmokeConfig.max_dom_complete_ms (not max_load_ms), SmokeReport::passed_count()/total_count() (not .passed/.total); client.checkpoint / events_between / eval_js_in / register_command don't exist (use the recording tool / dom_snapshot_for / a webview_label field / .commands(&[…])); every .build() returns a Result (config snippets now .unwrap()).
    • Reference-table fixes: query_db and check_ipc_integrity return-key lists corrected to match the real output shapes.

Changed

  • Honest public claims. "the IPC history has no eval_js equivalent" was false (the IPC log is derived from the page's own fetch traffic) — reframed so the database and command registry are the AppHandle-only items, and the IPC log is noted as sharing the webview's fate. "a CDP-class tool can't attach at all" on WKWebView/WebKitGTK softened to the accurate "no Chrome DevTools Protocol surface" (those engines have their own, separate remote-inspector protocols). The registry-enumeration claim now notes it covers the #[inspectable] subset plus IPC-log mining. (Supersedes PR #17.)

Security

Pre-publish adversarial-audit hardening (four red-team passes; no Critical/High found; all changes internal, no public API or behavior change for normal callers):

  • DNS-rebinding Host guard tightened. is_localhost_host rejected a bracketed-IPv6 prefix that smuggled a non-localhost authority ([::1].evil.com), and accepted any :-suffix without validating it (localhost:notaport, [::1]:garbage). It now requires the port to parse as a u16 and matches localhost case-insensitively. (Defense-in-depth: the Origin guard already blocked the browser path.)
  • /health is now rate-limited. It was registered after the rate-limit layer (axum applies a layer only to routes registered before it), so it was un-throttled; it is now covered while staying auth-exempt for liveness probes.
  • query_db absolute-path branch opens the canonical validated path (it previously opened the

... (truncated)

Commits
  • 6cc2d5b Harden 0.8.5 release readiness (#40)
  • 0243cc3 harden: pre-empt adversarial audit — close 11 verified Low/Med findings (no A...
  • e6088ce release: 0.8.5 — docs correctness + honesty pass + victauri check tool-count ...
  • 2b548a5 fix(compat): clean 3-app green run + harness hardening (inject/diagnostics/wi...
  • ccee316 fix: honest compat claim + compat-matrix drift + victauri check tool count (#36)
  • 21e52ae chore(vscode): bump extension to 0.8.4 (version-sync with 0.8.4 release) (#35)
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [victauri-test](https://github.com/runyourempire/victauri) from 0.8.4 to 0.8.5.
- [Release notes](https://github.com/runyourempire/victauri/releases)
- [Changelog](https://github.com/4DA-Systems/Victauri/blob/main/CHANGELOG.md)
- [Commits](4DA-Systems/Victauri@v0.8.4...v0.8.5)

---
updated-dependencies:
- dependency-name: victauri-test
  dependency-version: 0.8.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot requested a review from runyourempire as a code owner July 6, 2026 06:11
@dependabot dependabot Bot added the rust Rust backend label Jul 6, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

rust Rust backend

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant