Skip to content

reference dependencies

Douwe de Vries edited this page Jul 1, 2026 · 1 revision

Dependencies

CSV Anonymizer uses a Rust workspace for core and desktop code, plus a React/Vite frontend. Dependency freshness and audit follow-ups are tracked in docs/dependency-audit-followups.md.

Active contributors: Douwe de Vries

Counts and audit state

As of the 2026-07-01 dependency review:

  • Rust lockfile dependency count: 531.
  • cargo audit --json vulnerabilities: 0.
  • Informational RustSec warnings: 17 unmaintained packages and 1 unsound package.
  • Workspace dependency declarations in Cargo.toml: 27.
  • Frontend runtime dependencies in frontend/package.json: 4.
  • Frontend development dependencies in frontend/package.json: 21.

See Dependency freshness for warning paths and upgrade backlog.

Rust workspace dependencies

Root workspace dependency versions are declared in Cargo.toml.

Layer Dependencies Purpose
CSV and serialization csv, serde, serde_json CSV reading/writing and wire DTO serialization
Time, randomness, hashing support chrono, rand Timestamps and generated replacement values
Validation and detection regex, email_address, url, phonenumber, iban_validate, card-validate, vat_id_validator, ssn, ein Structured PII validators and detector support
Multilingual header detection unicode-normalization, unicode-segmentation, strsim Unicode-safe terms, word segmentation, and conservative fuzzy matching
Direct input parsing quick-xml, yaml_serde XML and YAML pasted-data workflows
Error handling thiserror Rust error types
Desktop shell tauri, tauri-build, tauri-plugin-dialog, directories, open Tauri runtime, file dialogs, settings paths, and opening output locations
Local AI HTTP reqwest Ollama status checks, generation calls, and model download streaming
Tests and benchmarks tempfile, criterion Temporary files and Criterion benchmarks

Rust crates by role

Crate Manifest Dependency role
Core crates/csv-anonymizer-core/Cargo.toml Depends on detector, parser, validator, serde, random, Unicode, XML/YAML, and error libraries
CLI harness crates/csv-anonymizer-app/Cargo.toml Uses the core crate for smoke and command-line flows
Tauri shell src-tauri/Cargo.toml Uses the core crate plus Tauri, dialog, settings, open, reqwest, and serde dependencies

Frontend dependencies

frontend/package.json runtime dependencies:

Dependency Purpose
react UI rendering
react-dom DOM rendering
@tauri-apps/api Tauri app and invoke APIs
lucide-react Icons

Development dependencies include:

  • Vite and React plugin: vite, @vitejs/plugin-react
  • TypeScript and Node/React types: typescript, @types/node, @types/react, @types/react-dom
  • Tests: vitest, jsdom, @testing-library/react, @testing-library/jest-dom, @testing-library/user-event
  • Browser and accessibility checks: @playwright/test, @axe-core/playwright
  • Linting: eslint, @eslint/js, typescript-eslint, eslint-plugin-react-hooks, eslint-plugin-react-refresh, globals
  • Dead code and build helpers: knip, esbuild

Tooling dependencies outside package manifests

Some required tools are installed by CI or expected locally:

  • Rust stable toolchain through dtolnay/rust-toolchain in CI.
  • cargo-audit for RustSec checks.
  • cargo-machete for unused Rust dependency scans.
  • Playwright Chromium for e2e and accessibility tests.
  • Linux packaging tools such as pkg-config, libwebkit2gtk-4.1-dev, rpm, rpm2cpio, libarchive-tools, desktop-file-utils, appstream, zstd, and gnupg.
  • GPG commands for APT repository and installer checks.
  • Python 3 for Linux package metadata validation and APT repository generation.

Upgrade notes

Keep dependency upgrades focused:

  • Tauri 2 patch updates should move together with TAURI_CLI_VERSION in .github/workflows/ci.yml and .github/workflows/release.yml.
  • quick-xml, reqwest, and rand future major/API upgrades should be separate PRs with targeted tests.
  • The Node engine floor remains >=22.13.0 even though CI currently pins Node 26, so do not rely on Node 26-only runtime APIs unless the engine floor changes.

Related pages: Dependency freshness, Tooling, and Configuration.

Clone this wiki locally