Skip to content

cleanup opportunities dependency freshness

Douwe de Vries edited this page Jul 1, 2026 · 1 revision

Dependency freshness

This page summarizes docs/dependency-audit-followups.md as of 2026-07-01. It is a maintenance reference, not a release blocker list by itself.

Active contributors: Douwe de Vries

Current audit state

As of 2026-07-01:

  • cargo audit --json reports zero vulnerabilities.
  • RustSec database snapshot: 2026-06-30 16:05:13 +02:00.
  • RustSec advisory count: 1146.
  • Lockfile dependency count: 531.
  • Informational warnings: 17 unmaintained packages and 1 unsound package.

The scheduled workflow .github/workflows/dead-code.yml runs npm run cargo:audit:required, so RustSec advisories are checked weekly as well as in release validation.

Stable Tauri line

The project is on the stable Tauri 2 line:

  • tauri 2.11.4
  • tauri-build 2.6.3
  • tauri-runtime-wry 2.11.4
  • tauri-cli 2.11.4
  • @tauri-apps/api 2.11.1

As of the audit notes, Tauri 3 is not the active stable line. The monitored Linux migration target is GTK4 plus WebKitGTK 6.0, not GTK6. The upstream migration remains tied to the Tauri 3 track.

Warning paths to monitor

Warning area Current path Decision
GTK3 and GLib stack tauri -> tauri-runtime-wry / tauri-runtime / wry / tao / muda / webkit2gtk -> gtk -> glib Keep Tauri 2 patch releases current; do not fork or override GTK/GLib/Tauri crates locally
unic-* through urlpattern tauri-utils -> urlpattern 0.3.0 -> unic-ucd-ident -> unic-* Wait for Tauri to move to a newer urlpattern; do not apply a semver-major ACL parsing override locally
atomic-polyfill through phonenumber csv-anonymizer-core -> phonenumber -> postcard -> heapless -> atomic-polyfill Keep phonenumber for now; reconsider only with fixture-backed detector comparison and MSRV review

Completed refresh work

The 2026-07-01 stable-track refresh applied or confirmed:

  • Tauri patch set updates for the active Tauri 2 line.
  • Frontend patch set updates for Vite, plugin React, ESLint, Knip, TypeScript ESLint, and related tooling.
  • Frontend major/typing cleanup for lucide-react and @types/node.
  • CI Node pins moved to Node 26, while package.json and frontend/package.json still allow Node >=22.13.0.
  • Rust patch/minor updates for open, unicode-segmentation, and criterion.

Future focused upgrades

Keep these as separate PRs because each implies API or behavior review:

Dependency Future target Check carefully
quick-xml 0.41.x XML direct-input fixtures, local AI manifest/config handling, and release metadata parsing
reqwest 0.13.x Ollama status checks, model download streaming, blocking client usage, TLS features, and binary size
rand 0.10.x Pseudonym generation behavior, RNG construction APIs, tests that assume output shape, and benchmark variance

If the Rust MSRV target rises to at least 1.88, a future spike can compare rlibphonenumber against the existing phone detection fixtures before replacing phonenumber.

Verification set for dependency changes

For dependency updates, use the full relevant gate:

npm ci --prefix frontend
npm run frontend:audit
npm run cargo:audit:required
npm run test
npm run lint
npm run release:check
npm run frontend:e2e
npm run frontend:a11y
npm run deadcode:required
node scripts/rust-smoke.mjs

Run npm run linux:package-manager:check on Linux or in CI for package-affecting updates.

Related pages: Dependencies, Tooling, and Complexity hotspots.

Clone this wiki locally