chore(deps): update dependency @tauri-apps/cli to v1.5.6 [security] #92

renovate · 2024-02-25T09:26:43Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@tauri-apps/cli	`1.2.3` -> `1.5.6`

GitHub Vulnerability Alerts

CVE-2023-46115

Impact

This advisory is not describing a vulnerability in the Tauri code base itself but a commonly used misconfiguration which could lead to leaking of the private key and updater key password into bundled Tauri applications using the Vite frontend in a specific configuration.

The Tauri documentation used an insecure example configuration in the Vite guide to showcase how to use Tauri together with Vite.

Copying the following snippet envPrefix: ['VITE_', 'TAURI_'], from this guide into the vite.config.ts of a Tauri project possibly leads to bundling the TAURI_PRIVATE_KEY and TAURI_KEY_PASSWORD into the Vite frontend code and therefore leaking this value to the debug built of a Tauri application.

The value is automatically bundled into debug builds but for production builds it is not embedded, as long as it is not directly referenced in the frontend code. Vite statically replaces these values in production builds. This reduces the amount of affected applications to a very small amount of affected applications.

To verify if you are affected you can search for the private key value or the TAURI_PRIVATE_KEY variable inside the release build frontend assets (dist/).

Example: grep -r "TAURI_PRIVATE_KEY" dist/

Using only the envPrefix: ['VITE_'], or any other framework than Vite means you are not impacted by this advisory.

Patches

The documentation has been patched but as the root cause is not in Tauri itself the issue is not fixed by updating Tauri.
The vite.config.ts configuration of the project needs to be adapted.

We recommend rotating your updater private key if you are affected by this (requires Tauri CLI >=1.5.5). After updating the envPrefix configuration, generate a new private key with tauri signer generate, saving the new private key and updating the updater's pubkey value on tauri.conf.json with the new public key. To update your existing application, the next application build must be signed with the older private key in order to be accepted by the existing application.

Workarounds

The envPrefix: ['VITE_'],should be used and the desired TAURI variables manually added.
Respective these variables could be added TAURI_PLATFORM, TAURI_ARCH, TAURI_FAMILY, TAURI_PLATFORM_VERSION, TAURI_PLATFORM_TYPE and TAURI_DEBUG without leaking sensitive information.

We urge affected users to implement the workaround as the 1.x branch will not receive a general prevention fix as it would break systems.

References

The issue was originally disclosed in our discord here.
The affected guide is https://tauri.app/v1/guides/getting-started/setup/vite/.

Update: We lowered the severity from high to low, as the likelihood of impact was found to only affect a very limited amount of applications.

Update2: We changed the affected versions to make clear that after 2.0.0-alpha.16 or 1.5.6 the potentially vulnerable recommendation was no longer visible on our website and should not affect projects by default. A lot of users were confused and we believe this advisory reached the necessary user base.

Release Notes

tauri-apps/tauri (@tauri-apps/cli)

`v1.5.6`: @tauri-apps/cli v1.5.6

Compare Source

[1.5.6]

Bug Fixes

5264e41d(#8082) Downgraded rust-minisign to 0.7.3 to fix signing updater bundles with empty passwords.

Dependencies

Upgraded to [email protected]

`v1.5.5`: @tauri-apps/cli v1.5.5

Compare Source

[1.5.5]

Enhancements

9bead42d(#8059) Allow rotating the updater private key.

Bug Fixes

be8e5aa3(#8042) Fixes duplicated newlines on command outputs.

Dependencies

Upgraded to [email protected]

`v1.5.4`: tauri v1.5.4

Compare Source

Updating crates.io index

Cargo Audit

Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 582 security advisories (from /home/runner/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (558 crate dependencies)
Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
└── clap 3.2.25
    └── tauri 1.5.4
        ├── tauri 1.5.4
        ├── restart 0.1.0
        └── app-updater 0.1.0

warning: 1 allowed warning found

[1.5.4]

Enhancements

3c371aa8(#8228) Added test::get_ipc_response.

Bug Fixes

50a3d170(#8408) On Windows, fix open dialog defaultPath, when invoked from JS, not working if the path uses forward slash (/)
645e1dcc(#8404) Fix NSIS updater failing to launch when using basicUi mode.

Dependencies

Upgraded to [email protected]
Upgraded to [email protected]
Upgraded to [email protected]
Upgraded to [email protected]

Cargo Publish

Updating crates.io index
   Packaging tauri v1.5.4 (/home/runner/work/tauri/tauri/core/tauri)
    Updating crates.io index
   Verifying tauri v1.5.4 (/home/runner/work/tauri/tauri/core/tauri)
 Downloading crates ...
  Downloaded tokio-macros v2.2.0
  Downloaded signal-hook-registry v1.4.1
  Downloaded futures-macro v0.3.29
  Downloaded ignore v0.4.21
  Downloaded state v0.5.3
  Downloaded libm v0.2.8
  Downloaded tauri-runtime-wry v0.14.3
  Downloaded serialize-to-javascript-impl v0.1.1
  Downloaded serialize-to-javascript v0.1.1
  Downloaded globset v0.4.14
  Downloaded serde_repr v0.1.17
  Downloaded tauri-macros v1.4.3
   Compiling proc-macro2 v1.0.70
   Compiling unicode-ident v1.0.12
   Compiling serde v1.0.193
   Compiling libc v0.2.151
   Compiling smallvec v1.11.2
   Compiling pkg-config v0.3.28
   Compiling equivalent v1.0.1
   Compiling heck v0.4.1
   Compiling hashbrown v0.14.3
   Compiling quote v1.0.33
   Compiling syn v2.0.41
   Compiling winnow v0.5.30
   Compiling indexmap v2.1.0
   Compiling cfg-if v1.0.0
   Compiling target-lexicon v0.12.12
   Compiling version-compare v0.1.1
   Compiling autocfg v1.1.0
   Compiling cfg-expr v0.15.5
   Compiling syn v1.0.109
   Compiling version_check v0.9.4
   Compiling siphasher v0.3.11
   Compiling ppv-lite86 v0.2.17
   Compiling once_cell v1.19.0
   Compiling getrandom v0.2.11
   Compiling bitflags v1.3.2
   Compiling thiserror v1.0.51
   Compiling getrandom v0.1.16
   Compiling rand_core v0.6.4
   Compiling proc-macro-error-attr v1.0.4
   Compiling futures-core v0.3.29
   Compiling rand_chacha v0.3.1
   Compiling proc-macro-error v1.0.4
   Compiling slab v0.4.9
   Compiling anyhow v1.0.75
   Compiling futures-task v0.3.29
   Compiling rand_core v0.5.1
   Compiling pin-project-lite v0.2.13
   Compiling futures-util v0.3.29
   Compiling rand v0.8.5
   Compiling pin-utils v0.1.0
   Compiling futures-channel v0.3.29
   Compiling rand_pcg v0.2.1
   Compiling rand_chacha v0.2.2
   Compiling phf_shared v0.10.0
   Compiling unicode-segmentation v1.10.1
   Compiling serde_derive v1.0.193
   Compiling thiserror-impl v1.0.51
   Compiling futures-macro v0.3.29
   Compiling heck v0.3.3
   Compiling rand v0.7.3
   Compiling phf_shared v0.8.0
   Compiling lock_api v0.4.11
   Compiling cfg-expr v0.9.1
   Compiling version-compare v0.0.11
   Compiling semver v1.0.20
   Compiling parking_lot_core v0.9.9
   Compiling fnv v1.0.7
   Compiling itoa v1.0.10
   Compiling phf_generator v0.8.0
   Compiling log v0.4.20
   Compiling futures-executor v0.3.29
   Compiling scopeguard v1.2.0
   Compiling ryu v1.0.16
   Compiling phf_generator v0.10.0
   Compiling proc-macro-hack v0.5.20+deprecated
   Compiling parking_lot v0.12.1
   Compiling memoffset v0.9.0
   Compiling new_debug_unreachable v1.0.4
   Compiling byteorder v1.5.0
   Compiling phf_codegen v0.10.0
   Compiling string_cache_codegen v0.5.2
   Compiling precomputed-hash v0.1.1
   Compiling gio v0.15.12
   Compiling tinyvec_macros v0.1.1
   Compiling mac v0.1.1
   Compiling memchr v2.6.4
   Compiling ident_case v1.0.1
   Compiling strsim v0.10.0
   Compiling phf_macros v0.8.0
   Compiling darling_core v0.20.3
   Compiling markup5ever v0.11.0
   Compiling futf v0.1.5
   Compiling tinyvec v1.6.0
   Compiling phf_codegen v0.8.0
   Compiling cssparser v0.27.2
   Compiling uuid v1.6.1
   Compiling toml_datetime v0.6.5
   Compiling serde_spanned v0.6.5
   Compiling toml_edit v0.21.0
   Compiling toml_edit v0.19.15
   Compiling toml v0.5.11
   Compiling toml v0.8.8
   Compiling proc-macro-crate v1.3.1
   Compiling system-deps v6.2.0
   Compiling system-deps v5.0.0
   Compiling crc32fast v1.3.2
   Compiling utf-8 v0.7.6
   Compiling futures-io v0.3.29
   Compiling glib-macros v0.15.13
   Compiling simd-adler32 v0.3.7
   Compiling dtoa v1.0.9
   Compiling glib-sys v0.15.10
   Compiling gobject-sys v0.15.10
   Compiling gio-sys v0.15.10
   Compiling gdk-sys v0.15.1
   Compiling gdk-pixbuf-sys v0.15.10
   Compiling cairo-sys-rs v0.15.1
   Compiling atk-sys v0.15.1
   Compiling pango-sys v0.15.10
   Compiling gtk-sys v0.15.3
   Compiling glib v0.15.12
   Compiling dtoa-short v0.3.4
   Compiling tendril v0.4.3
   Compiling soup2-sys v0.2.0
   Compiling darling_macro v0.20.3
   Compiling string_cache v0.8.7
   Compiling unicode-normalization v0.1.22
   Compiling selectors v0.22.0
   Compiling phf v0.8.0
   Compiling rustc_version v0.4.0
   Compiling html5ever v0.26.0
   Compiling cssparser-macros v0.6.1
   Compiling phf v0.10.1
   Compiling phf_shared v0.11.2
   Compiling indexmap v1.9.3
   Compiling nodrop v0.1.14
   Compiling adler v1.0.2
   Compiling serde_json v1.0.108
   Compiling alloc-no-stdlib v2.0.4
   Compiling matches v0.1.10
   Compiling convert_case v0.4.0
   Compiling stable_deref_trait v1.2.0
   Compiling unicode-bidi v0.3.14
   Compiling typenum v1.17.0
   Compiling percent-encoding v2.3.1
   Compiling crossbeam-utils v0.8.17
   Compiling itoa v0.4.8
   Compiling form_urlencoded v1.2.1
   Compiling idna v0.5.0
   Compiling derive_more v0.99.17
   Compiling servo_arc v0.1.1
   Compiling alloc-stdlib v0.2.2
   Compiling miniz_oxide v0.7.1
   Compiling phf_generator v0.11.2
   Compiling field-offset v0.3.6
   Compiling darling v0.20.3
   Compiling fxhash v0.2.1
   Compiling generic-array v0.14.7
   Compiling thin-slice v0.1.1
   Compiling hashbrown v0.12.3
   Compiling flate2 v1.0.28
   Compiling serde_with_macros v3.4.0
   Compiling cairo-rs v0.15.12
   Compiling pango v0.15.10
   Compiling phf_macros v0.11.2
   Compiling brotli-decompressor v2.5.1
   Compiling url v2.5.0
   Compiling fdeflate v0.3.1
   Compiling javascriptcore-rs-sys v0.4.0
   Compiling cfb v0.7.3
   Compiling gtk v0.15.5
   Compiling same-file v1.0.6
   Compiling walkdir v2.4.0
   Compiling infer v0.13.0
   Compiling png v0.17.10
   Compiling brotli v3.4.0
   Compiling gdk-pixbuf v0.15.11
   Compiling phf v0.11.2
   Compiling kuchikiki v0.8.2
   Compiling gdk v0.15.4
   Compiling serde_with v3.4.0
   Compiling atk v0.15.1
   Compiling webkit2gtk-sys v0.18.0
   Compiling gtk3-macros v0.15.6
   Compiling ctor v0.2.6
   Compiling x11 v2.21.0
   Compiling dunce v1.0.4
   Compiling gdkx11-sys v0.15.1
   Compiling cc v1.0.83
   Compiling x11-dl v2.21.0
   Compiling bytes v1.5.0
   Compiling rustix v0.38.28
   Compiling tao v0.16.5
   Compiling treediff v4.0.2
   Compiling crypto-common v0.1.6
   Compiling block-buffer v0.10.4
   Compiling linux-raw-sys v0.4.12
   Compiling bitflags v2.4.1
   Compiling raw-window-handle v0.5.2
   Compiling json-patch v1.2.0
   Compiling digest v0.10.7
   Compiling http v0.2.11
   Compiling soup2 v0.2.1
   Compiling javascriptcore-rs v0.16.0
   Compiling crossbeam-channel v0.5.9
   Compiling gdkwayland-sys v0.15.3
   Compiling aho-corasick v1.1.2
   Compiling instant v0.1.12
   Compiling glob v0.3.1
   Compiling tauri-runtime v0.14.2
   Compiling lazy_static v1.4.0
   Compiling cpufeatures v0.2.11
   Compiling regex-syntax v0.8.2
   Compiling wry v0.24.7
   Compiling regex-automata v0.4.3
   Compiling sha2 v0.10.8
   Compiling tauri-utils v1.5.2
   Compiling ico v0.3.0
   Compiling crossbeam-epoch v0.9.16
   Compiling bstr v1.8.0
   Compiling http-range v0.1.5
   Compiling base64 v0.21.5
   Compiling tauri-runtime-wry v0.14.3
   Compiling tauri-codegen v1.4.2
   Compiling globset v0.4.14
   Compiling crossbeam-deque v0.8.4
   Compiling xattr v1.1.3
   Compiling serialize-to-javascript-impl v0.1.1
   Compiling tauri v1.5.4 (/home/runner/work/tauri/tauri/target/package/tauri-1.5.4)
   Compiling filetime v0.2.23
   Compiling dirs-sys-next v0.1.2
   Compiling num_cpus v1.16.0
   Compiling fastrand v2.0.1
   Compiling tempfile v3.8.1
   Compiling tokio v1.35.1
   Compiling webkit2gtk v0.18.2
   Compiling tauri-macros v1.4.3
   Compiling dirs-next v2.0.0
   Compiling tar v0.4.40
   Compiling serialize-to-javascript v0.1.1
   Compiling ignore v0.4.21
   Compiling serde_repr v0.1.17
   Compiling encoding_rs v0.8.33
   Compiling state v0.5.3
    Finished dev [unoptimized + debuginfo] target(s) in 1m 30s
    Packaged 76 files, 983.2KiB (219.4KiB compressed)
   Uploading tauri v1.5.4 (/home/runner/work/tauri/tauri/core/tauri)
    Uploaded tauri v1.5.4 to registry `crates-io`
note: Waiting for `tauri v1.5.4` to be available at registry `crates-io`.
You may press ctrl-c to skip waiting; the crate should be available shortly.
   Published tauri v1.5.4 at registry `crates-io`

`v1.5.2`: @tauri-apps/api v1.5.2

Compare Source

Yarn Audit

yarn audit v1.22.21
info No lockfile found.
0 vulnerabilities found - Packages audited: 148
Done in 2.28s.

[1.5.2]

Bug Fixes

50462702(#8267) Add top-level main, module and types fields in package.json to be compliant with typescripts's "moduleResolution": "node"
14544e4b(#8219) Avoid crashing in clearMocks

Yarn Publish

yarn run v1.22.21
$ yarn build && cd ./dist && yarn publish --access public --loglevel silly --tag next
$ rollup -c --configPlugin typescript
�[36m
�[1m./src/app.ts, ./src/cli.ts, ./src/clipboard.ts, ./src/dialog.ts, ./src/event.ts, ./src/fs.ts, ./src/globalShortcut.ts, ./src/http.ts, ./src/index.ts, ./src/mocks.ts, ./src/notification.ts, ./src/os.ts, ./src/path.ts, ./src/process.ts, ./src/shell.ts, ./src/tauri.ts, ./src/updater.ts, ./src/window.ts�[22m → �[1m./dist, ./dist�[22m...�[39m
�[32mcreated �[1m./dist, ./dist�[22m in �[1m1.6s�[22m�[39m
�[36m
�[1msrc/index.ts�[22m → �[1m../../core/tauri/scripts/bundle.global.js�[22m...�[39m
�[32mcreated �[1m../../core/tauri/scripts/bundle.global.js�[22m in �[1m1.8s�[22m�[39m
[1/4] Bumping version...
info Current version: 1.5.2
[2/4] Logging in...
[3/4] Publishing...
success Published.
[4/4] Revoking token...
info Not revoking login token, specified via config file.
Done in 8.45s.

`v1.5.1`: tauri-build v1.5.1

Compare Source

Updating crates.io index

Cargo Audit

Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 582 security advisories (from /home/runner/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (558 crate dependencies)
Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
└── clap 3.2.25
    └── tauri 1.5.4
        ├── tauri 1.5.4
        ├── restart 0.1.0
        └── app-updater 0.1.0

warning: 1 allowed warning found

[1.5.1]

Dependencies

Upgraded to [email protected]
Upgraded to [email protected]

Cargo Publish

Updating crates.io index
   Packaging tauri-build v1.5.1 (/home/runner/work/tauri/tauri/core/tauri-build)
   Verifying tauri-build v1.5.1 (/home/runner/work/tauri/tauri/core/tauri-build)
    Updating crates.io index
 Downloading crates ...
  Downloaded embed-resource v2.4.0
  Downloaded cargo_toml v0.15.3
  Downloaded tauri-winres v0.1.1
   Compiling proc-macro2 v1.0.70
   Compiling unicode-ident v1.0.12
   Compiling cfg-if v1.0.0
   Compiling libc v0.2.151
   Compiling siphasher v0.3.11
   Compiling ppv-lite86 v0.2.17
   Compiling serde v1.0.193
   Compiling getrandom v0.1.16
   Compiling syn v1.0.109
   Compiling quote v1.0.33
   Compiling syn v2.0.41
   Compiling getrandom v0.2.11
   Compiling rand_core v0.6.4
   Compiling rand_core v0.5.1
   Compiling rand_chacha v0.3.1
   Compiling rand v0.8.5
   Compiling autocfg v1.1.0
   Compiling rand_chacha v0.2.2
   Compiling rand_pcg v0.2.1
   Compiling phf_shared v0.10.0
   Compiling rand v0.7.3
   Compiling phf_shared v0.8.0
   Compiling smallvec v1.11.2
   Compiling phf_generator v0.10.0
   Compiling lock_api v0.4.11
   Compiling hashbrown v0.14.3
   Compiling phf_generator v0.8.0
   Compiling equivalent v1.0.1
   Compiling fnv v1.0.7
   Compiling proc-macro-hack v0.5.20+deprecated
   Compiling parking_lot_core v0.9.9
   Compiling indexmap v2.1.0
   Compiling new_debug_unreachable v1.0.4
   Compiling scopeguard v1.2.0
   Compiling winnow v0.5.30
   Compiling string_cache_codegen v0.5.2
   Compiling phf_codegen v0.10.0
   Compiling precomputed-hash v0.1.1
   Compiling strsim v0.10.0
   Compiling ident_case v1.0.1
   Compiling semver v1.0.20
   Compiling serde_derive v1.0.193
   Compiling mac v0.1.1
   Compiling byteorder v1.5.0
   Compiling futf v0.1.5
   Compiling darling_core v0.20.3
   Compiling markup5ever v0.11.0
   Compiling cssparser v0.27.2
   Compiling phf_macros v0.8.0
   Compiling parking_lot v0.12.1
   Compiling phf_codegen v0.8.0
   Compiling log v0.4.20
   Compiling dtoa v1.0.9
   Compiling utf-8 v0.7.6
   Compiling once_cell v1.19.0
   Compiling tinyvec_macros v0.1.1
   Compiling serde_json v1.0.108
   Compiling tinyvec v1.6.0
   Compiling tendril v0.4.3
   Compiling darling_macro v0.20.3
   Compiling dtoa-short v0.3.4
   Compiling selectors v0.22.0
   Compiling phf v0.8.0
   Compiling html5ever v0.26.0
   Compiling cssparser-macros v0.6.1
   Compiling phf v0.10.1
   Compiling indexmap v1.9.3
   Compiling phf_shared v0.11.2
   Compiling matches v0.1.10
   Compiling ryu v1.0.16
   Compiling thiserror v1.0.51
   Compiling stable_deref_trait v1.2.0
   Compiling convert_case v0.4.0
   Compiling nodrop v0.1.14
   Compiling itoa v0.4.8
   Compiling itoa v1.0.10
   Compiling derive_more v0.99.17
   Compiling servo_arc v0.1.1
   Compiling phf_generator v0.11.2
   Compiling darling v0.20.3
   Compiling unicode-normalization v0.1.22
   Compiling toml_datetime v0.6.5
   Compiling serde_spanned v0.6.5
   Compiling string_cache v0.8.7
   Compiling toml_edit v0.21.0
   Compiling toml_edit v0.19.15
   Compiling fxhash v0.2.1
   Compiling thiserror-impl v1.0.51
   Compiling percent-encoding v2.3.1
   Compiling thin-slice v0.1.1
   Compiling unicode-bidi v0.3.14
   Compiling bitflags v1.3.2
   Compiling uuid v1.6.1
   Compiling hashbrown v0.12.3
   Compiling cfb v0.7.3
   Compiling idna v0.5.0
   Compiling form_urlencoded v1.2.1
   Compiling treediff v4.0.2
   Compiling toml v0.7.8
   Compiling toml v0.8.8
   Compiling serde_with_macros v3.4.0
   Compiling phf_macros v0.11.2
   Compiling rustc_version v0.4.0
   Compiling cc v1.0.83
   Compiling same-file v1.0.6
   Compiling anyhow v1.0.75
   Compiling phf v0.11.2
   Compiling embed-resource v2.4.0
   Compiling walkdir v2.4.0
   Compiling serde_with v3.4.0
   Compiling kuchikiki v0.8.2
   Compiling url v2.5.0
   Compiling json-patch v1.2.0
   Compiling infer v0.13.0
   Compiling ctor v0.2.6
   Compiling dirs-sys-next v0.1.2
   Compiling memchr v2.6.4
   Compiling heck v0.4.1
   Compiling glob v0.3.1
   Compiling dunce v1.0.4
   Compiling dirs-next v2.0.0
   Compiling tauri-utils v1.5.2
   Compiling tauri-winres v0.1.1
   Compiling cargo_toml v0.15.3
   Compiling tauri-build v1.5.1 (/home/runner/work/tauri/tauri/target/package/tauri-build-1.5.1)
    Finished dev [unoptimized + debuginfo] target(s) in 30.23s
    Packaged 12 files, 50.5KiB (16.0KiB compressed)
   Uploading tauri-build v1.5.1 (/home/runner/work/tauri/tauri/core/tauri-build)
    Uploaded tauri-build v1.5.1 to registry `crates-io`
note: Waiting for `tauri-build v1.5.1` to be available at registry `crates-io`.
You may press ctrl-c to skip waiting; the crate should be available shortly.
   Published tauri-build v1.5.1 at registry `crates-io`

`v1.5.0`: tauri-build v1.5.0

Compare Source

Updating crates.io index

Cargo Audit

Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 573 security advisories (from /home/runner/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (524 crate dependencies)
Crate:     kuchiki
Version:   0.8.1
Warning:   unmaintained
Title:     `kuchiki` is unmaintained
Date:      2023-01-21
ID:        RUSTSEC-2023-0019
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0019
Dependency tree:
kuchiki 0.8.1
└── wry 0.24.4
    └── tauri-runtime-wry 0.14.1
        └── tauri 1.5.0
            ├── tauri 1.5.0
            ├── restart 0.1.0
            └── app-updater 0.1.0

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
└── clap 3.2.25
    └── tauri 1.5.0
        ├── tauri 1.5.0
        ├── restart 0.1.0
        └── app-updater 0.1.0

warning: 2 allowed warnings found

[1.5.0]

What's Changed

d1e09da0(#7918) Bump to 1.5 due to tauri-utils dependency bump.

Cargo Publish

Updating crates.io index
   Packaging tauri-build v1.5.0 (/home/runner/work/tauri/tauri/core/tauri-build)
   Verifying tauri-build v1.5.0 (/home/runner/work/tauri/tauri/core/tauri-build)
    Updating crates.io index
 Downloading crates ...
  Downloaded phf v0.8.0
  Downloaded infer v0.12.0
  Downloaded cfb v0.7.3
  Downloaded cargo_toml v0.15.3
  Downloaded darling_macro v0.20.3
  Downloaded precomputed-hash v0.1.1
  Downloaded phf_macros v0.10.0
  Downloaded phf_codegen v0.10.0
  Downloaded ctor v0.1.26
  Downloaded stable_deref_trait v1.2.0
  Downloaded embed-resource v2.3.0
  Downloaded siphasher v0.3.11
  Downloaded phf_generator v0.8.0
  Downloaded serde_with_macros v3.3.0
  Downloaded uuid v1.4.1
  Downloaded rand v0.7.3
  Downloaded treediff v4.0.2
  Downloaded rand_chacha v0.2.2
  Downloaded selectors v0.22.0
  Downloaded serde_with v3.3.0
  Downloaded matches v0.1.10
  Downloaded itoa v0.4.8
  Downloaded rand_chacha v0.3.1
  Downloaded darling_core v0.20.3
  Downloaded tauri-winres v0.1.1
  Downloaded proc-macro-hack v0.5.20+deprecated
  Downloaded chrono v0.4.31
  Downloaded dtoa-short v0.3.4
  Downloaded tauri-utils v1.5.0
  Downloaded rand_pcg v0.2.1
  Downloaded ppv-lite86 v0.2.17
  Downloaded rand_core v0.6.4
  Downloaded iana-time-zone v0.1.57
  Downloaded json-patch v1.1.0
  Downloaded kuchikiki v0.8.2
  Downloaded phf_generator v0.10.0
  Downloaded utf-8 v0.7.6
  Downloaded nodrop v0.1.14
  Downloaded darling v0.20.3
  Downloaded string_cache v0.8.7
  Downloaded tendril v0.4.3
  Downloaded cssparser v0.27.2
  Downloaded glob v0.3.1
  Downloaded string_cache_codegen v0.5.2
  Downloaded servo_arc v0.1.1
  Downloaded fxhash v0.2.1
  Downloaded markup5ever v0.11.0
  Downloaded phf_shared v0.8.0
  Downloaded new_debug_unreachable v1.0.4
  Downloaded mac v0.1.1
  Downloaded rustc_version v0.4.0
  Downloaded phf v0.10.1
  Downloaded html5ever v0.26.0
  Downloaded getrandom v0.1.16
  Downloaded phf_shared v0.10.0
  Downloaded cssparser-macros v0.6.1
  Downloaded phf_macros v0.8.0
  Downloaded rand_core v0.5.1
  Downloaded getrandom v0.2.10
  Downloaded convert_case v0.4.0
  Downloaded dtoa v1.0.9
  Downloaded derive_more v0.99.17
  Downloaded thin-slice v0.1.1
  Downloaded phf_codegen v0.8.0
  Downloaded futf v0.1.5
  Downloaded rand v0.8.5
   Compiling proc-macro2 v1.0.67
   Compiling unicode-ident v1.0.12
   Compiling cfg-if v1.0.0
   Compiling libc v0.2.148
   Compiling quote v1.0.33
   Compiling syn v2.0.37
   Compiling ppv-lite86 v0.2.17
   Compiling siphasher v0.3.11
   Compiling serde v1.0.188
   Compiling syn v1.0.109
   Compiling serde_derive v1.0.188
   Compiling getrandom v0.1.16
   Compiling getrandom v0.2.10
   Compiling rand_core v0.6.4
   Compiling rand_core v0.5.1
   Compiling rand_chacha v0.3.1
   Compiling phf_shared v0.10.0
   Compiling autocfg v1.1.0
   Compiling proc-macro-hack v0.5.20+deprecated
   Compiling rand v0.8.5
   Compiling rand_chacha v0.2.2
   Compiling rand_pcg v0.2.1
   Compiling rand v0.7.3
   Compiling phf_generator v0.10.0
   Compiling phf_shared v0.8.0
   Compiling phf_generator v0.8.0
   Compiling smallvec v1.11.1
   Compiling lock_api v0.4.10
   Compiling parking_lot_core v0.9.8
   Compiling fnv v1.0.7
   Compiling scopeguard v1.2.0
   Compiling new_debug_unreachable v1.0.4
   Compiling string_cache_codegen v0.5.2
   Compiling phf_codegen v0.10.0
   Compiling hashbrown v0.14.1
   Compiling semver v1.0.19
   Compiling precomputed-hash v0.1.1
   Compiling ident_case v1.0.1
   Compiling mac v0.1.1
   Compiling strsim v0.10.0
   Compiling equivalent v1.0.1
   Compiling byteorder v1.4.3
   Compiling darling_core v0.20.3
   Compiling indexmap v2.0.2
   Compiling futf v0.1.5
   Compiling markup5ever v0.11.0
   Compiling parking_lot v0.12.1
   Compiling phf_macros v0.8.0
   Compiling phf_macros v0.10.0
   Compiling phf_codegen v0.8.0
   Compiling serde_spanned v0.6.3
   Compiling toml_datetime v0.6.3
   Compiling cssparser v0.27.2
   Compiling utf-8 v0.7.6
   Compiling log v0.4.20
   Compiling tinyvec_macros v0.1.1
   Compiling serde_json v1.0.107
   Compiling winnow v0.5.15
   Compiling dtoa v1.0.9
   Compiling once_cell v1.18.0
   Compiling dtoa-short v0.3.4
   Compiling string_cache v0.8.7
   Compiling toml_edit v0.19.15
   Compiling tinyvec v1.6.0
   Compiling tendril v0.4.3
   Compiling phf v0.10.1
   Compiling selectors v0.22.0
   Compiling phf v0.8.0
   Compiling darling_macro v0.20.3
   Compiling indexmap v1.9.3
   Compiling html5ever v0.26.0
   Compiling cssparser-macros v0.6.1
   Compiling ryu v1.0.15
   Compiling itoa v1.0.9
   Compiling matches v0.1.10
   Compiling convert_case v0.4.0
   Compiling itoa v0.4.8
   Compiling thiserror v1.0.49
   Compiling nodrop v0.1.14
   Compiling stable_deref_trait v1.2.0
   Compiling servo_arc v0.1.1
   Compiling derive_more v0.99.17
   Compiling darling v0.20.3
   Compiling toml v0.7.8
   Compiling unicode-normalization v0.1.22
   Compiling fxhash v0.2.1
   Compiling thiserror-impl v1.0.49
   Compiling unicode-bidi v0.3.13
   Compiling thin-slice v0.1.1
   Compiling bitflags v1.3.2
   Compiling uuid v1.4.1
   Compiling hashbrown v0.12.3
   Compiling percent-encoding v2.3.0
   Compiling form_urlencoded v1.2.0
   Compiling cfb v0.7.3
   Compiling idna v0.4.0
   Compiling serde_with_macros v3.3.0
   Compiling treediff v4.0.2
   Compiling rustc_version v0.4.0
   Compiling cc v1.0.83
   Compiling anyhow v1.0.75
   Compiling same-file v1.0.6
   Compiling walkdir v2.4.0
   Compiling embed-resource v2.3.0
   Compiling json-patch v1.1.0
   Compiling serde_with v3.3.0
   Compiling kuchikiki v0.8.2
   Compiling url v2.4.1
   Compiling infer v0.12.0
   Compiling dirs-sys-next v0.1.2
   Compiling ctor v0.1.26
   Compiling heck v0.4.1
   Compiling memchr v2.6.3
   Compiling glob v0.3.1
   Compiling dunce v1.0.4
   Compiling tauri-utils v1.5.0
   Compiling dirs-next v2.0.0
   Compiling tauri-winres v0.1.1
   Compiling cargo_toml v0.15.3
   Compiling tauri-build v1.5.0 (/home/runner/work/tauri/tauri/target/package/tauri-build-1.5.0)
    Finished dev [unoptimized + debuginfo] target(s) in 50.12s
    Packaged 12 files, 50.5KiB (16.0KiB compressed)
   Uploading tauri-build v1.5.0 (/home/runner/work/tauri/tauri/core/tauri-build)
    Uploaded tauri-build v1.5.0 to registry `crates-io`
note: Waiting for `tauri-build v1.5.0` to be available at registry `crates-io`.
You may press ctrl-c to skip waiting; the crate should be available shortly.
   Published tauri-build v1.5.0 at registry `crates-io`

`v1.4.0`: @tauri-apps/cli v1.4.0

Compare Source

[1.4.0]

New Features

0ddbb3a1(#7015) Provide prebuilt CLIs for Windows ARM64 targets.
35cd751a(#5176) Added the desktop_template option on tauri.conf.json > tauri > bundle > deb.
6c5ade08(#4537) Added tauri completions to generate shell completions scripts.
e092f799(#6887) Add nsis > template option to specify custom NSIS installer template.

Enhancements

d75c1b82(#7181) Print a useful error when updater bundle target is specified without an updater-enabled target.
52474e47(#7141) Enhance injection of Cargo features.
2659ca1a(#6900) Add rustls as default Cargo feature.

Bug Fixes

3cb7a3e6(#6997) Fix built-in devserver adding hot-reload code to non-html files.
fb7ef8da(#6667) Fix nodejs binary regex when 0 is in the version name, for example node-20
1253bbf7(#7013) Fixes Cargo.toml feature rewriting.

`v1.3.1`

Compare Source

`v1.3.0`: tauri-build v1.3.0

Compare Source

Updating crates.io index

Cargo Audit

Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 543 security advisories (from /home/runner/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (520 crate dependencies)
Crate:     kuchiki
Version:   0.8.1
Warning:   unmaintained
Title:     `kuchiki` is unmaintained
Date:      2023-01-21
ID:        RUSTSEC-2023-0019
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0019
Dependency tree:
kuchiki 0.8.1
├── wry 0.24.1
│   └── tauri-runtime-wry 0.13.0
│       └── tauri 1.3.0
│           ├── tauri 1.3.0
│           ├── restart 0.1.0
│           └── app-updater 0.1.0
└── tauri-utils 1.3.0
    ├── tauri-tauri-config-schema 0.0.0
    ├── tauri-runtime-wry 0.13.0
    ├── tauri-runtime 0.13.0
    │   ├── tauri-runtime-wry 0.13.0
    │   └── tauri 1.3.0
    ├── tauri-macros 1.3.0
    │   └── tauri 1.3.0
    ├── tauri-codegen 1.3.0
    │   ├── tauri-macros 1.3.0
    │   └── tauri-build 1.3.0
    │       └── app-updater 0.1.0
    ├── tauri-build 1.3.0
    └── tauri 1.3.0

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
├── colored 2.0.0
│   └── mockito 0.31.1
│       └── tauri 1.3.0
│           ├── tauri 1.3.0
│           ├── restart 0.1.0
│           └── app-updater 0.1.0
└── clap 3.2.25
    └── tauri 1.3.0

warning: 2 allowed warnings found

[1.3.0]

Bump minimum supported Rust version to 1.60.
- 5fdc616d feat: Use the zbus-backed of notify-rust (#6332) on 2023-03-31
Add initial support for building nsis bundles on non-Windows platforms.
- 60e6f6c3 feat(bundler): Add support for creating NSIS bundles on unix hosts (#5788) on 2023-01-19
Add WindowsAttributes::app_manifest to specify the application manifest on Windows.
- bca09f7f feat(tauri-build): add option to specify Windows manifest, closes #5584 (#5730) on 2022-12-14
Added support for Cargo's workspace inheritance for package information. The cli now also detects inherited tauri and tauri-build dependencies and disables manifest rewrites accordingly.
- cd8c074a feat(cli): add support for Cargo's workspace inheritance for the package version, closes #5070 (#5775) on 2022-12-14
- d20a7288 feat: Further improve workspace inheritance, closes #6122, #5070 (#6144) on 2023-01-26
Pin winnow crate to 0.4.1 to keep the 1.60 MSRV.

Cargo Publish

Updating crates.io index
   Packaging tauri-build v1.3.0 (/home/runner/work/tauri/tauri/core/tauri-build)
   Verifying tauri-build v1.3.0 (/home/runner/work/tauri/tauri/core/tauri-build)
 Downloading crates ...
  Downloaded tauri-winres v0.1.0
  Downloaded cargo_toml v0.15.2
  Downloaded winnow v0.4.1
   Compiling proc-macro2 v1.0.56
   Compiling quote v1.0.26
   Compiling unicode-ident v1.0.8
   Compiling libc v0.2.142
   Compiling cfg-if v1.0.0
   Compiling syn v2.0.15
   Compiling ppv-lite86 v0.2.17
   Compiling siphasher v0.3.10
   Compiling getrandom v0.1.16
   Compiling serde_derive v1.0.160
   Compiling serde v1.0.160
   Compiling syn v1.0.109
   Compiling rand_core v0.5.1
   Compiling rand_chacha v0.2.2
   Compiling rand_pcg v0.2.1
   Compiling autocfg v1.1.0
   Compiling rand v0.7.3
   Compiling phf_shared v0.8.0
   Compiling phf_generator v0.8.0
   Compiling getrandom v0.2.9
   Compiling rand_core v0.6.4
   Compiling proc-macro-hack v0.5.20+deprecated
   Compiling rand_chacha v0.3.1
   Compiling phf_shared v0.10.0
   Compiling rand v0.8.5
   Compiling phf_generator v0.10.0
   Compiling phf_codegen v0.8.0
   Compiling smallvec v1.10.0
   Compiling lock_api v0.4.9
   Compiling fnv v1.0.7
   Compiling parking_lot_core v0.9.7
   Compiling phf_macros v0.8.0
   Compiling log v0.4.17
   Compiling scopeguard v1.1.0
   Compiling new_debug_unreachable v1.0.4
   Compiling phf v0.8.0
   Compiling string_cache_codegen v0.5.2
   Compiling byteorder v1.4.3
   Compiling precomputed-hash v0.1.1
   Compiling strsim v0.10.0
   Compiling mac v0.1.1
   Compiling ident_case v1.0.1
   Compiling darling_core v0.20.1
   Compiling futf v0.1.5
   Compiling markup5ever v0.10.1
   Compiling parking_lot v0.12.1
   Compiling indexmap v1.9.3
   Compiling cssparser v0.27.2
   Compiling dtoa v0.4.8
   Compiling serde_json v1.0.96
   Compiling utf-8 v0.7.6
   Compiling once_cell v1.17.1
   Compiling tinyvec_macros v0.1.1
   Compiling tinyvec v1.6.0
   Compiling string_cache v0.8.7
   Compiling tendril v0.4.3
   Compiling dtoa-short v0.3.3
   Compiling darling_macro v0.20.1
   Compiling selectors v0.22.0
   Compiling html5ever v0.25.2
   Compiling cssparser-macros v0.6.0
   Compiling stable_deref_trait v1.2.0
   Compiling matches v0.1.10
   Compiling thiserror v1.0.40
   Compiling nodrop v0.1.14
   Compiling hashbrown v0.12.3
   Compiling convert_case v0.4.0
   Compiling ryu v1.0.13
   Compiling itoa v1.0.6
   Compiling itoa v0.4.8
   Compiling derive_more v0.99.17
   Compiling servo_arc v0.1.1
   Compiling darling v0.20.1
   Compiling unicode-normalization v0.1.22
   Compiling fxhash v0.2.1
   Compiling toml_datetime v0.6.1
   Compiling serde_spanned v0.6.1
   Compiling thiserror-impl v1.0.40
   Compiling memchr v2.5.0
   Compiling semver v1.0.17
   Compiling uuid v1.3.2
   Compiling thin-slice v0.1.1
   Compiling winnow v0.4.1
   Compiling percent-encoding v2.2.0
   Compiling unicode-bidi v0.3.13
   Compiling bitflags v1.3.2
   Compiling toml_edit v0.19.8
   Compiling idna v0.3.0
   Compiling form_urlencoded v1.1.0
   Compiling cfb v0.7.3
   Compiling serde_with_macros v2.3.3
   Compiling treediff v4.0.2
   Compiling phf_macros v0.10.0
   Compiling same-file v1.0.6
   Compiling anyhow v1.0.71
   Compiling phf v0.10.1
   Compiling walkdir v2.3.3
   Compiling serde_with v2.3.3
   Compiling json-patch v1.0.0
   Compiling kuchiki v0.8.1
   Compiling infer v0.12.0
   Compiling url v2.3.1
   Compiling toml v0.7.3
   Compiling toml v0.5.11
   Compiling ctor v0.1.26
   Compiling heck v0.4.1
   Compiling glob v0.3.1
   Compiling version_check v0.9.4
   Compiling tauri-utils v1.3.0
   Compiling tauri-winres v0.1.0
   Compiling cargo_toml v0.15.2
   Compiling tauri-build v1.3.0 (/home/runner/work/tauri/tauri/target/package/tauri-build-1.3.0)
    Finished dev [unoptimized + debuginfo] target(s) in 51.49s
    Packaged 11 files, 43.3KiB (14.4KiB compressed)
   Uploading tauri-build v1.3.0 (/home/runner/work/tauri/tauri/core/tauri-build)
    Updating crates.io index
     Waiting on `tauri-build` to propagate to crates.io index (ctrl-c to wait asynchronously)
    Updating crates.io index
    Updating crates.io index
    Updating crates.io index
    Updating crates.io index
    Updating crates.io index
    Updating crates.io index
    Updating crates.io index
    Updating crates.io index
    Updating crates.io index

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

socket-security · 2024-02-25T09:26:57Z

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@tauri-apps/[email protected]	filesystem, shell	`0`	191 kB	tauri-apps-ci-user

🚮 Removed packages: npm/@tauri-apps/[email protected]

View full report↗︎

chore(deps): update dependency @tauri-apps/cli to v1.5.6 [security]

08130b6

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency @tauri-apps/cli to v1.5.6 [security] #92

chore(deps): update dependency @tauri-apps/cli to v1.5.6 [security] #92

renovate bot commented Feb 25, 2024 •

edited

Loading

Cargo Audit

Cargo Publish

Yarn Audit

Yarn Publish

Cargo Audit

Cargo Publish

Cargo Audit

Cargo Publish

Cargo Audit

Cargo Publish

socket-security bot commented Feb 25, 2024

chore(deps): update dependency @tauri-apps/cli to v1.5.6 [security] #92

Are you sure you want to change the base?

chore(deps): update dependency @tauri-apps/cli to v1.5.6 [security] #92

Conversation

renovate bot commented Feb 25, 2024 • edited Loading

GitHub Vulnerability Alerts

CVE-2023-46115

Impact

Patches

Workarounds

References

Release Notes

v1.5.6: @​tauri-apps/cli v1.5.6

[1.5.6]

Bug Fixes

Dependencies

v1.5.5: @​tauri-apps/cli v1.5.5

[1.5.5]

Enhancements

Bug Fixes

Dependencies

v1.5.4: tauri v1.5.4

Cargo Audit

[1.5.4]

Enhancements

Bug Fixes

Dependencies

Cargo Publish

v1.5.2: @​tauri-apps/api v1.5.2

Yarn Audit

[1.5.2]

Bug Fixes

Yarn Publish

v1.5.1: tauri-build v1.5.1

Cargo Audit

[1.5.1]

Dependencies

Cargo Publish

v1.5.0: tauri-build v1.5.0

Cargo Audit

[1.5.0]

What's Changed

Cargo Publish

v1.4.0: @​tauri-apps/cli v1.4.0

[1.4.0]

New Features

Enhancements

Bug Fixes

v1.3.1

v1.3.0: tauri-build v1.3.0

Cargo Audit

[1.3.0]

Cargo Publish

Configuration

socket-security bot commented Feb 25, 2024

renovate bot commented Feb 25, 2024 •

edited

Loading

`v1.5.6`: @tauri-apps/cli v1.5.6

`v1.5.5`: @tauri-apps/cli v1.5.5

`v1.5.4`: tauri v1.5.4

`v1.5.2`: @tauri-apps/api v1.5.2

`v1.5.1`: tauri-build v1.5.1

`v1.5.0`: tauri-build v1.5.0

`v1.4.0`: @tauri-apps/cli v1.4.0

`v1.3.1`

`v1.3.0`: tauri-build v1.3.0