Fix Scorecard vulnerability findings#7178
Conversation
There was a problem hiding this comment.
Code Review
This pull request updates various frontend and backend dependencies in package-lock.json and Cargo.lock, and introduces osv-scanner.toml configuration files to manage vulnerability alerts. The review feedback correctly identifies copy-paste typos in several RUSTSEC IDs (RUSTSEC-2026-0097, RUSTSEC-2026-0194, and RUSTSEC-2026-0195) where the year was incorrectly set to 2026, which would prevent OSV-Scanner from properly matching and ignoring the intended advisories.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| reason = "The affected glib::VariantStrIter iterator APIs are unused by Unsloth and its resolved transitive crates; Tauri's GTK3 stack currently constrains glib below 0.20." | ||
|
|
||
| [[IgnoredVulns]] | ||
| id = "RUSTSEC-2026-0097" |
There was a problem hiding this comment.
The RUSTSEC ID RUSTSEC-2026-0097 contains an incorrect year (2026), which appears to be a copy-paste typo from the ignoreUntil date (2026-10-16). This incorrect ID will prevent OSV-Scanner from matching and ignoring the intended vulnerability. Please use the correct RUSTSEC ID (such as RUSTSEC-2024-0097 or RUSTSEC-2025-0097 depending on the actual advisory).
| reason = "rand 0.7.3 is build-only through phf_codegen and uses a deterministically seeded SmallRng; the advisory requires ThreadRng plus a custom logger, and rand 0.7.3 has no log feature." | ||
|
|
||
| [[IgnoredVulns]] | ||
| id = "RUSTSEC-2026-0194" |
There was a problem hiding this comment.
The RUSTSEC ID RUSTSEC-2026-0194 contains an incorrect year (2026), which appears to be a copy-paste typo from the ignoreUntil date (2026-10-16). This incorrect ID will prevent OSV-Scanner from matching and ignoring the intended vulnerability. Please use the correct RUSTSEC ID (such as RUSTSEC-2024-0194 or RUSTSEC-2025-0194 depending on the actual advisory).
| reason = "The quick-xml consumers do not parse attacker-controlled attributes: WinRT notification uses only escape(), plist never iterates attributes, and wayland-scanner parses trusted build-time protocol XML." | ||
|
|
||
| [[IgnoredVulns]] | ||
| id = "RUSTSEC-2026-0195" |
There was a problem hiding this comment.
The RUSTSEC ID RUSTSEC-2026-0195 contains an incorrect year (2026), which appears to be a copy-paste typo from the ignoreUntil date (2026-10-16). This incorrect ID will prevent OSV-Scanner from matching and ignoring the intended vulnerability. Please use the correct RUSTSEC ID (such as RUSTSEC-2024-0195 or RUSTSEC-2025-0195 depending on the actual advisory).
Summary
@babel/core,dompurify, andjs-yamlreleasesanyhowandserde_withreleases0.0.0matches for intentionally unpinned MoE test requirementsSecurity analysis
The current Scorecard SARIF reports 59 grouped findings. The fixable npm and Rust dependencies are upgraded rather than ignored.
The remaining Rust entries are either informational maintenance advisories without a selectable patched release in Tauri's current GTK3 graph, or advisories reviewed against the resolved consumers and found unreachable. All exceptions expire on 2026-10-16.
The Python findings come from Scorecard's embedded OSV Scanner v1.9.2 assigning version
0.0.0to unpinned test requirements. OSV Scanner v2 does not report those requirements. The package overrides match only the synthetic0.0.0version, so concrete versions remain scanned.Validation
npm audit --audit-level=high: pass, 0 vulnerabilitiesnpm run typecheck: passnpm run build: passpython3 scripts/lockfile_supply_chain_audit.py: pass, 0 findingscargo metadata --locked: passcargo fetch --locked --target x86_64-pc-windows-msvc: passgit diff --check: passcargo check --lockedcompiled the updated dependencies locally until the Linux host's missingdbus-1development headers stoppedlibdbus-sys. The draft PR CI can provide the full native dependency environment.Addresses Code Scanning alert 265.