PolyGraph runs entirely locally — it reads a folder from disk via a loopback-only Bun sidecar and never uploads or persists your code. There is no server component and no network egress in normal operation.
Please report suspected vulnerabilities privately via GitHub Security Advisories (Security → Report a vulnerability on the repository) rather than a public issue. Include affected version/commit, reproduction steps, and impact. We aim to acknowledge within a few days.
PolyGraph is pre-1.0 (alpha). Security fixes target the latest main and the most recent release.
We do not silently ignore known advisories. Each is documented here, and if/when an automated
scanner (cargo audit / cargo deny) is added to CI, any ignore entry must carry the advisory id,
a one-line reason, and a link back to this file or the tracking issue — never a bare ignore.
- Advisory: RUSTSEC-2024-0429 /
GHSA-wrw7-89jp-8q8g — unsoundness in
glib::VariantStrIter, fixed inglib ≥ 0.20.0. - Where:
src-tauri/Cargo.lockresolvesglib 0.18.5, pulled in transitively bygtk 0.18.2(GTK3 bindings) ←tauri(Linux webkit2gtk backend). - Scope: Linux desktop build only.
glibis not compiled into the Windows or macOS apps, and not into the web/sidecar/CLI at all. - Why it's pinned:
gtk 0.18.2is the last GTK3 binding (now unmaintained); gtk-rs moved to GTK4, so there is noglib 0.20in any GTK3 dependency tree and no backport.cargo update -p glib --precise 0.20.0fails theglib = "^0.18"requirement. - Status: Blocked upstream on Tauri's migration to GTK4 + WebKitGTK6. Re-evaluate when a Tauri release ships gtk4-rs. Tracked in #4 (with the upstream Tauri/wry issue links). Safe to mark the corresponding Dependabot alert "no upstream fix available" with a reference to that issue — do not dismiss it without the reference.
This advisory is also restated in each release's notes so consumers of the Linux bundle are aware.