Skip to content

Track quick-xml RustSec blocker in Tauri lockfile #26

Description

@saagpatel

Summary

Strict cargo audit is blocking workflow-only maintenance PRs because src-tauri/Cargo.lock contains vulnerable quick-xml versions.

Advisories

  • RUSTSEC-2026-0194: quick-xml quadratic duplicate-attribute checking
  • RUSTSEC-2026-0195: quick-xml namespace-declaration allocation DoS
  • Fixed line: quick-xml >=0.41.0

Current paths

From cargo tree --target all on current main:

  • quick-xml 0.38.4 via plist 1.8.0, pulled by tauri 2.9.5, tauri-codegen 2.5.2, and tauri-plugin 2.5.2
  • quick-xml 0.39.2 via wayland-scanner 0.31.9, pulled through Wayland clipboard dependencies from tauri-plugin-clipboard-manager 2.3.2

Upstream state checked

  • plist 1.9.0 still depends on quick-xml 0.39.2 and raises rust-version to 1.88.0
  • wayland-scanner 0.31.10 still depends on quick-xml 0.39
  • tauri 2.11.5 keeps rust-version 1.77.2 and depends on plist@1, but current latest plist does not reach the fixed quick-xml line

Impact

A fresh replacement for Dependabot #11 was opened as #25 and closed because Dependency + Secret Security Scans failed. npm audit passed, then strict cargo audit failed on this Rust lockfile blocker.

Recommended next action

Re-check upstream plist, wayland-scanner, and Tauri/plugin releases. When both quick-xml paths can resolve to >=0.41.0 without hand-patching incompatible transitive crates, update src-tauri/Cargo.lock, run:

cd src-tauri
cargo build --locked
cargo test --locked
cargo audit --no-fetch

Then retry the actions/checkout replacement for Dependabot #11.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions