Skip to content

Track unresolved quick-xml RustSec advisories in document parsing stack #134

Description

@matthewod11-stack

Context

The 2026-07 RustSec advisory refresh introduced quick-xml parser DoS advisories:

  • RUSTSEC-2026-0194
  • RUSTSEC-2026-0195

PR #133 reduced what we can fix directly today by moving document parser dependencies forward:

  • pdf-extract 0.10 -> 0.12, clearing the fixed lopdf advisory path
  • calamine 0.26 -> 0.35, moving spreadsheet parsing to the current upstream line

Remaining debt

cargo audit still needs temporary ignores for RUSTSEC-2026-0194 and RUSTSEC-2026-0195 because current upstream dependency lines still pull vulnerable quick-xml versions:

  • quick-xml@0.36.2 via docx-rs@0.4.20
  • quick-xml@0.39.4 via current calamine / Tauri plist

Acceptance criteria

  • Re-check whether calamine, docx-rs, plist, or Tauri expose quick-xml >= 0.41
  • Prefer dependency upgrades over ignores
  • If docx-rs remains stale, consider replacing DOCX parsing with a small ZIP + XML extractor owned in-repo
  • Remove the RUSTSEC-2026-0194 / RUSTSEC-2026-0195 ignores from .github/workflows/security.yml
  • cargo audit --ignore RUSTSEC-2023-0071 passes without the quick-xml ignores

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity vulnerability or hardeningtech-debtEligible for automated overnight fixing

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions