ci: ignore RUSTSEC-2026-0194/0195 (quick-xml via tauri→plist) — no upstream path yet#49
Merged
Merged
Conversation
…stream path yet Two 2026-06-29 advisories against transitive quick-xml 0.38.4 (quadratic duplicate-attribute check + unbounded namespace allocation, both DoS-class) turned CI red on every branch through no change of ours. Patched quick-xml is >=0.41.0, but the newest plist (1.9.0) still pins ^0.39.2, so no dependency bump can reach the fix today. Risk accepted with justification (dated, in both files per the documented protocol): plist parses the app's OWN Apple property-list config at build/dev time — never attacker-controlled input — and Victauri is a debug-builds-only dev tool. Remove both ids when plist supports quick-xml>=0.41 and tauri picks it up. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01CsePmfHDMBKRNDLNb3TLD5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two 2026-06-29 advisories against transitive quick-xml 0.38.4 (quadratic duplicate-attribute check + unbounded namespace allocation, both DoS-class, severity 7.5) turned Security Audit + Dependency Checks red on every branch — including the docs-only #47 — through no change of ours.
No dependency bump can fix this today: patched quick-xml is
>=0.41.0, but the newestplist(1.9.0) still pins^0.39.2, and plist enters the tree viatauri/tauri-plugin/tauri-codegen.Risk accepted with a dated justification in both
.cargo/audit.tomlanddeny.toml(the files' own documented protocol): plist parses the app's own Apple property-list config at build/dev time — never attacker-controlled input — and Victauri is a debug-builds-only dev tool. Remove both ids when plist supports quick-xml>=0.41 and tauri picks it up.Verified locally:
cargo audit→ warnings only (waserror: 2 vulnerabilities found!);cargo deny check advisories→ ok.Unblocks #47 and #48 (re-run their failed checks after this merges).
🤖 Generated with Claude Code
https://claude.ai/code/session_01CsePmfHDMBKRNDLNb3TLD5