From 206c690c7f6da196d70dc505efc58991b7554ca8 Mon Sep 17 00:00:00 2001 From: Matt OD Date: Fri, 3 Jul 2026 15:18:30 -0700 Subject: [PATCH] fix: refresh Rust audit dependencies --- .github/workflows/security.yml | 13 ++++++++++++- src-tauri/Cargo.toml | 4 ++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 44de5e1..4588f8f 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -48,9 +48,20 @@ jobs: # sqlx-mysql driver even though we only enable the sqlite feature — the # MySQL code path is never invoked at runtime. Revisit when rsa publishes # a constant-time fix or sqlx-macros splits drivers behind features. + # + # --ignore RUSTSEC-2026-0194 / RUSTSEC-2026-0195: quick-xml parser DoS. + # Direct document-parser deps are upgraded below to remove the fixed + # lopdf advisory and older quick-xml@0.31 path. The remaining vulnerable + # quick-xml versions are transitive through current upstream releases of + # calamine/docx-rs/Tauri plist. Keep malformed-document parsing wrapped in + # catch_unwind and revisit when those crates expose quick-xml >= 0.41. - name: Run cargo audit working-directory: src-tauri - run: cargo audit --ignore RUSTSEC-2023-0071 + run: >- + cargo audit + --ignore RUSTSEC-2023-0071 + --ignore RUSTSEC-2026-0194 + --ignore RUSTSEC-2026-0195 npm-audit: name: npm audit (${{ matrix.name }}) diff --git a/src-tauri/Cargo.toml b/src-tauri/Cargo.toml index 4aed356..582bd1f 100644 --- a/src-tauri/Cargo.toml +++ b/src-tauri/Cargo.toml @@ -44,10 +44,10 @@ jsonwebtoken = "9" # EdDSA / Ed25519 JWT verification for signed license respon # File parsing (CSV, Excel) csv = "1.3" -calamine = "0.26" +calamine = "0.35" # Document parsing -pdf-extract = "0.10" +pdf-extract = "0.12" docx-rs = "0.4.20" notify = { version = "7", features = ["macos_fsevent"] } notify-debouncer-full = "0.4" # Bundles notify 7 + an event debouncer that preserves Remove kinds (issue #38)