Summary
Strict cargo audit is blocking workflow-only maintenance PRs because src-tauri/Cargo.lock contains vulnerable quick-xml versions.
Advisories
- RUSTSEC-2026-0194:
quick-xml quadratic duplicate-attribute checking
- RUSTSEC-2026-0195:
quick-xml namespace-declaration allocation DoS
- Fixed line:
quick-xml >=0.41.0
Current paths
From cargo tree --target all on current main:
quick-xml 0.38.4 via plist 1.8.0, pulled by tauri 2.9.5, tauri-codegen 2.5.2, and tauri-plugin 2.5.2
quick-xml 0.39.2 via wayland-scanner 0.31.9, pulled through Wayland clipboard dependencies from tauri-plugin-clipboard-manager 2.3.2
Upstream state checked
plist 1.9.0 still depends on quick-xml 0.39.2 and raises rust-version to 1.88.0
wayland-scanner 0.31.10 still depends on quick-xml 0.39
tauri 2.11.5 keeps rust-version 1.77.2 and depends on plist@1, but current latest plist does not reach the fixed quick-xml line
Impact
A fresh replacement for Dependabot #11 was opened as #25 and closed because Dependency + Secret Security Scans failed. npm audit passed, then strict cargo audit failed on this Rust lockfile blocker.
Recommended next action
Re-check upstream plist, wayland-scanner, and Tauri/plugin releases. When both quick-xml paths can resolve to >=0.41.0 without hand-patching incompatible transitive crates, update src-tauri/Cargo.lock, run:
cd src-tauri
cargo build --locked
cargo test --locked
cargo audit --no-fetch
Then retry the actions/checkout replacement for Dependabot #11.
Summary
Strict
cargo auditis blocking workflow-only maintenance PRs becausesrc-tauri/Cargo.lockcontains vulnerablequick-xmlversions.Advisories
quick-xmlquadratic duplicate-attribute checkingquick-xmlnamespace-declaration allocation DoSquick-xml >=0.41.0Current paths
From
cargo tree --target allon currentmain:quick-xml 0.38.4viaplist 1.8.0, pulled bytauri 2.9.5,tauri-codegen 2.5.2, andtauri-plugin 2.5.2quick-xml 0.39.2viawayland-scanner 0.31.9, pulled through Wayland clipboard dependencies fromtauri-plugin-clipboard-manager 2.3.2Upstream state checked
plist 1.9.0still depends onquick-xml 0.39.2and raises rust-version to 1.88.0wayland-scanner 0.31.10still depends onquick-xml 0.39tauri 2.11.5keeps rust-version 1.77.2 and depends onplist@1, but current latest plist does not reach the fixed quick-xml lineImpact
A fresh replacement for Dependabot #11 was opened as #25 and closed because
Dependency + Secret Security Scansfailed.npm auditpassed, then strictcargo auditfailed on this Rust lockfile blocker.Recommended next action
Re-check upstream
plist,wayland-scanner, and Tauri/plugin releases. When both quick-xml paths can resolve to>=0.41.0without hand-patching incompatible transitive crates, updatesrc-tauri/Cargo.lock, run:Then retry the actions/checkout replacement for Dependabot #11.