Context
The 2026-07 RustSec advisory refresh introduced quick-xml parser DoS advisories:
RUSTSEC-2026-0194
RUSTSEC-2026-0195
PR #133 reduced what we can fix directly today by moving document parser dependencies forward:
pdf-extract 0.10 -> 0.12, clearing the fixed lopdf advisory path
calamine 0.26 -> 0.35, moving spreadsheet parsing to the current upstream line
Remaining debt
cargo audit still needs temporary ignores for RUSTSEC-2026-0194 and RUSTSEC-2026-0195 because current upstream dependency lines still pull vulnerable quick-xml versions:
quick-xml@0.36.2 via docx-rs@0.4.20
quick-xml@0.39.4 via current calamine / Tauri plist
Acceptance criteria
Context
The 2026-07 RustSec advisory refresh introduced
quick-xmlparser DoS advisories:RUSTSEC-2026-0194RUSTSEC-2026-0195PR #133 reduced what we can fix directly today by moving document parser dependencies forward:
pdf-extract0.10->0.12, clearing the fixedlopdfadvisory pathcalamine0.26->0.35, moving spreadsheet parsing to the current upstream lineRemaining debt
cargo auditstill needs temporary ignores forRUSTSEC-2026-0194andRUSTSEC-2026-0195because current upstream dependency lines still pull vulnerablequick-xmlversions:quick-xml@0.36.2viadocx-rs@0.4.20quick-xml@0.39.4via currentcalamine/ TauriplistAcceptance criteria
calamine,docx-rs,plist, or Tauri exposequick-xml >= 0.41docx-rsremains stale, consider replacing DOCX parsing with a small ZIP + XML extractor owned in-repoRUSTSEC-2026-0194/RUSTSEC-2026-0195ignores from.github/workflows/security.ymlcargo audit --ignore RUSTSEC-2023-0071passes without the quick-xml ignores