-
Notifications
You must be signed in to change notification settings - Fork 0
cleanup opportunities dependency freshness
This page summarizes docs/dependency-audit-followups.md as of 2026-07-01. It is a maintenance reference, not a release blocker list by itself.
Active contributors: Douwe de Vries
As of 2026-07-01:
-
cargo audit --jsonreports zero vulnerabilities. - RustSec database snapshot: 2026-06-30 16:05:13 +02:00.
- RustSec advisory count: 1146.
- Lockfile dependency count: 531.
- Informational warnings: 17 unmaintained packages and 1 unsound package.
The scheduled workflow .github/workflows/dead-code.yml runs npm run cargo:audit:required, so RustSec advisories are checked weekly as well as in release validation.
The project is on the stable Tauri 2 line:
tauri 2.11.4tauri-build 2.6.3tauri-runtime-wry 2.11.4tauri-cli 2.11.4@tauri-apps/api 2.11.1
As of the audit notes, Tauri 3 is not the active stable line. The monitored Linux migration target is GTK4 plus WebKitGTK 6.0, not GTK6. The upstream migration remains tied to the Tauri 3 track.
| Warning area | Current path | Decision |
|---|---|---|
| GTK3 and GLib stack | tauri -> tauri-runtime-wry / tauri-runtime / wry / tao / muda / webkit2gtk -> gtk -> glib |
Keep Tauri 2 patch releases current; do not fork or override GTK/GLib/Tauri crates locally |
unic-* through urlpattern
|
tauri-utils -> urlpattern 0.3.0 -> unic-ucd-ident -> unic-* |
Wait for Tauri to move to a newer urlpattern; do not apply a semver-major ACL parsing override locally |
atomic-polyfill through phonenumber
|
csv-anonymizer-core -> phonenumber -> postcard -> heapless -> atomic-polyfill |
Keep phonenumber for now; reconsider only with fixture-backed detector comparison and MSRV review |
The 2026-07-01 stable-track refresh applied or confirmed:
- Tauri patch set updates for the active Tauri 2 line.
- Frontend patch set updates for Vite, plugin React, ESLint, Knip, TypeScript ESLint, and related tooling.
- Frontend major/typing cleanup for
lucide-reactand@types/node. - CI Node pins moved to Node 26, while
package.jsonandfrontend/package.jsonstill allow Node>=22.13.0. - Rust patch/minor updates for
open,unicode-segmentation, andcriterion.
Keep these as separate PRs because each implies API or behavior review:
| Dependency | Future target | Check carefully |
|---|---|---|
quick-xml |
0.41.x |
XML direct-input fixtures, local AI manifest/config handling, and release metadata parsing |
reqwest |
0.13.x |
Ollama status checks, model download streaming, blocking client usage, TLS features, and binary size |
rand |
0.10.x |
Pseudonym generation behavior, RNG construction APIs, tests that assume output shape, and benchmark variance |
If the Rust MSRV target rises to at least 1.88, a future spike can compare rlibphonenumber against the existing phone detection fixtures before replacing phonenumber.
For dependency updates, use the full relevant gate:
npm ci --prefix frontend
npm run frontend:audit
npm run cargo:audit:required
npm run test
npm run lint
npm run release:check
npm run frontend:e2e
npm run frontend:a11y
npm run deadcode:required
node scripts/rust-smoke.mjsRun npm run linux:package-manager:check on Linux or in CI for package-affecting updates.
Related pages: Dependencies, Tooling, and Complexity hotspots.