Skip to content

fix: refresh Rust audit dependencies#133

Merged
matthewod11-stack merged 1 commit into
mainfrom
fix/rust-audit-dependencies
Jul 3, 2026
Merged

fix: refresh Rust audit dependencies#133
matthewod11-stack merged 1 commit into
mainfrom
fix/rust-audit-dependencies

Conversation

@matthewod11-stack

Copy link
Copy Markdown
Owner

Summary

  • bump pdf-extract from 0.10 to 0.12 to clear the fixed lopdf advisory path
  • bump calamine from 0.26 to 0.35 so spreadsheet parsing is on the current upstream line
  • document and temporarily ignore the unresolved upstream quick-xml advisories that still arrive through current calamine/docx-rs/Tauri plist releases

Verification

  • cargo test — 788 passed, 0 failed, 2 ignored
  • cargo audit --ignore RUSTSEC-2023-0071 --ignore RUSTSEC-2026-0194 --ignore RUSTSEC-2026-0195 — exits 0; warnings only
  • cargo metadata --no-deps — metadata parses

Notes

This does not pretend the quick-xml parser DoS advisory is gone. It reduces the dependency drift we can fix today and keeps the remaining upstream limitation explicit in the audit workflow instead of leaving main red.

Copilot AI review requested due to automatic review settings July 3, 2026 22:18

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refreshes Rust dependencies and updates the security workflow so cargo audit stays green while explicitly documenting and temporarily ignoring remaining upstream quick-xml advisories.

Changes:

  • Bumped Rust parser dependencies (calamine to 0.35, pdf-extract to 0.12) to reduce dependency drift and clear fixed advisory paths.
  • Updated the GitHub Actions security workflow to ignore the currently-unresolved quick-xml RustSec advisories and documented why they’re still present transitively.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
src-tauri/Cargo.toml Updates dependency versions for spreadsheet and PDF parsing crates.
.github/workflows/security.yml Documents and applies cargo audit ignores for the remaining upstream quick-xml advisories.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@matthewod11-stack matthewod11-stack merged commit 356319f into main Jul 3, 2026
7 checks passed
@matthewod11-stack matthewod11-stack deleted the fix/rust-audit-dependencies branch July 3, 2026 22:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants