Skip to content

ci: ignore RUSTSEC-2026-0194/0195 (quick-xml via tauri→plist) — no upstream path yet#49

Merged
runyourempire merged 1 commit into
mainfrom
fix/audit-unblock-quickxml
Jul 4, 2026
Merged

ci: ignore RUSTSEC-2026-0194/0195 (quick-xml via tauri→plist) — no upstream path yet#49
runyourempire merged 1 commit into
mainfrom
fix/audit-unblock-quickxml

Conversation

@runyourempire

Copy link
Copy Markdown
Collaborator

Two 2026-06-29 advisories against transitive quick-xml 0.38.4 (quadratic duplicate-attribute check + unbounded namespace allocation, both DoS-class, severity 7.5) turned Security Audit + Dependency Checks red on every branch — including the docs-only #47 — through no change of ours.

No dependency bump can fix this today: patched quick-xml is >=0.41.0, but the newest plist (1.9.0) still pins ^0.39.2, and plist enters the tree via tauri/tauri-plugin/tauri-codegen.

Risk accepted with a dated justification in both .cargo/audit.toml and deny.toml (the files' own documented protocol): plist parses the app's own Apple property-list config at build/dev time — never attacker-controlled input — and Victauri is a debug-builds-only dev tool. Remove both ids when plist supports quick-xml>=0.41 and tauri picks it up.

Verified locally: cargo audit → warnings only (was error: 2 vulnerabilities found!); cargo deny check advisories → ok.

Unblocks #47 and #48 (re-run their failed checks after this merges).

🤖 Generated with Claude Code

https://claude.ai/code/session_01CsePmfHDMBKRNDLNb3TLD5

…stream path yet

Two 2026-06-29 advisories against transitive quick-xml 0.38.4 (quadratic
duplicate-attribute check + unbounded namespace allocation, both DoS-class)
turned CI red on every branch through no change of ours. Patched quick-xml
is >=0.41.0, but the newest plist (1.9.0) still pins ^0.39.2, so no
dependency bump can reach the fix today.

Risk accepted with justification (dated, in both files per the documented
protocol): plist parses the app's OWN Apple property-list config at
build/dev time — never attacker-controlled input — and Victauri is a
debug-builds-only dev tool. Remove both ids when plist supports
quick-xml>=0.41 and tauri picks it up.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01CsePmfHDMBKRNDLNb3TLD5
@runyourempire runyourempire merged commit 339fadf into main Jul 4, 2026
21 checks passed
@runyourempire runyourempire deleted the fix/audit-unblock-quickxml branch July 4, 2026 03:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant