Skip to content

Fix Scorecard vulnerability findings#7178

Draft
Imagineer99 wants to merge 1 commit into
unslothai:mainfrom
Imagineer99:fix/security-vulnerabilities-265
Draft

Fix Scorecard vulnerability findings#7178
Imagineer99 wants to merge 1 commit into
unslothai:mainfrom
Imagineer99:fix/security-vulnerabilities-265

Conversation

@Imagineer99

@Imagineer99 Imagineer99 commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • update the frontend lockfile to patched @babel/core, dompurify, and js-yaml releases
  • update the Tauri lockfile to patched anyhow and serde_with releases
  • document time-bounded OSV exceptions for unmaintained Tauri transitive dependencies and reachability-reviewed advisories
  • narrowly ignore OSV Scanner v1.9.2's synthetic 0.0.0 matches for intentionally unpinned MoE test requirements

Security analysis

The current Scorecard SARIF reports 59 grouped findings. The fixable npm and Rust dependencies are upgraded rather than ignored.

The remaining Rust entries are either informational maintenance advisories without a selectable patched release in Tauri's current GTK3 graph, or advisories reviewed against the resolved consumers and found unreachable. All exceptions expire on 2026-10-16.

The Python findings come from Scorecard's embedded OSV Scanner v1.9.2 assigning version 0.0.0 to unpinned test requirements. OSV Scanner v2 does not report those requirements. The package overrides match only the synthetic 0.0.0 version, so concrete versions remain scanned.

Validation

  • exact Scorecard OSV Scanner v1.9.2: 59 grouped findings before, 0 after
  • repository-pinned OSV Scanner v2.0.2: 0 findings
  • npm audit --audit-level=high: pass, 0 vulnerabilities
  • npm run typecheck: pass
  • npm run build: pass
  • python3 scripts/lockfile_supply_chain_audit.py: pass, 0 findings
  • cargo metadata --locked: pass
  • cargo fetch --locked --target x86_64-pc-windows-msvc: pass
  • git diff --check: pass

cargo check --locked compiled the updated dependencies locally until the Linux host's missing dbus-1 development headers stopped libdbus-sys. The draft PR CI can provide the full native dependency environment.

Addresses Code Scanning alert 265.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates various frontend and backend dependencies in package-lock.json and Cargo.lock, and introduces osv-scanner.toml configuration files to manage vulnerability alerts. The review feedback correctly identifies copy-paste typos in several RUSTSEC IDs (RUSTSEC-2026-0097, RUSTSEC-2026-0194, and RUSTSEC-2026-0195) where the year was incorrectly set to 2026, which would prevent OSV-Scanner from properly matching and ignoring the intended advisories.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

reason = "The affected glib::VariantStrIter iterator APIs are unused by Unsloth and its resolved transitive crates; Tauri's GTK3 stack currently constrains glib below 0.20."

[[IgnoredVulns]]
id = "RUSTSEC-2026-0097"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The RUSTSEC ID RUSTSEC-2026-0097 contains an incorrect year (2026), which appears to be a copy-paste typo from the ignoreUntil date (2026-10-16). This incorrect ID will prevent OSV-Scanner from matching and ignoring the intended vulnerability. Please use the correct RUSTSEC ID (such as RUSTSEC-2024-0097 or RUSTSEC-2025-0097 depending on the actual advisory).

reason = "rand 0.7.3 is build-only through phf_codegen and uses a deterministically seeded SmallRng; the advisory requires ThreadRng plus a custom logger, and rand 0.7.3 has no log feature."

[[IgnoredVulns]]
id = "RUSTSEC-2026-0194"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The RUSTSEC ID RUSTSEC-2026-0194 contains an incorrect year (2026), which appears to be a copy-paste typo from the ignoreUntil date (2026-10-16). This incorrect ID will prevent OSV-Scanner from matching and ignoring the intended vulnerability. Please use the correct RUSTSEC ID (such as RUSTSEC-2024-0194 or RUSTSEC-2025-0194 depending on the actual advisory).

reason = "The quick-xml consumers do not parse attacker-controlled attributes: WinRT notification uses only escape(), plist never iterates attributes, and wayland-scanner parses trusted build-time protocol XML."

[[IgnoredVulns]]
id = "RUSTSEC-2026-0195"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The RUSTSEC ID RUSTSEC-2026-0195 contains an incorrect year (2026), which appears to be a copy-paste typo from the ignoreUntil date (2026-10-16). This incorrect ID will prevent OSV-Scanner from matching and ignoring the intended vulnerability. Please use the correct RUSTSEC ID (such as RUSTSEC-2024-0195 or RUSTSEC-2025-0195 depending on the actual advisory).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant