Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion .github/workflows/security.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,9 +48,20 @@ jobs:
# sqlx-mysql driver even though we only enable the sqlite feature — the
# MySQL code path is never invoked at runtime. Revisit when rsa publishes
# a constant-time fix or sqlx-macros splits drivers behind features.
#
# --ignore RUSTSEC-2026-0194 / RUSTSEC-2026-0195: quick-xml parser DoS.
# Direct document-parser deps are upgraded below to remove the fixed
# lopdf advisory and older quick-xml@0.31 path. The remaining vulnerable
# quick-xml versions are transitive through current upstream releases of
# calamine/docx-rs/Tauri plist. Keep malformed-document parsing wrapped in
# catch_unwind and revisit when those crates expose quick-xml >= 0.41.
- name: Run cargo audit
working-directory: src-tauri
run: cargo audit --ignore RUSTSEC-2023-0071
run: >-
cargo audit
--ignore RUSTSEC-2023-0071
--ignore RUSTSEC-2026-0194
--ignore RUSTSEC-2026-0195

npm-audit:
name: npm audit (${{ matrix.name }})
Expand Down
4 changes: 2 additions & 2 deletions src-tauri/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -44,10 +44,10 @@ jsonwebtoken = "9" # EdDSA / Ed25519 JWT verification for signed license respon

# File parsing (CSV, Excel)
csv = "1.3"
calamine = "0.26"
calamine = "0.35"

# Document parsing
pdf-extract = "0.10"
pdf-extract = "0.12"
docx-rs = "0.4.20"
notify = { version = "7", features = ["macos_fsevent"] }
notify-debouncer-full = "0.4" # Bundles notify 7 + an event debouncer that preserves Remove kinds (issue #38)
Expand Down
Loading