Deps.rs

tauri-apps / tauri

[![dependency status](https://deps.rs/repo/github/tauri-apps/tauri/status.svg)](https://deps.rs/repo/github/tauri-apps/tauri)

This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate tauri

Dependencies

(32 total, 2 insecure)

CrateRequiredLatestStatus
 serde_json^1.01.0.64up to date
 serde^1.01.0.125up to date
 base64^0.13.00.13.0up to date
 tokio^1.51.5.0up to date
 futures^0.30.3.14up to date
 uuid^0.8.20.8.2up to date
 thiserror^1.0.241.0.24up to date
 once_cell^1.7.21.7.2up to date
 rand^0.80.8.3up to date
 reqwest^0.110.11.3up to date
 tempfile^33.2.0up to date
 semver^0.110.11.0up to date
 serde_repr^0.10.1.6up to date
 dirs-next^2.0.02.0.0up to date
 zip^0.5.120.5.12up to date
 ignore^0.4.170.4.17up to date
 either^1.6.11.6.1up to date
 tar^0.40.4.33insecure
 flate2^1.01.0.20up to date
 rfd^0.3.00.3.0up to date
 tinyfiledialogs^3.33.3.10up to date
 bytes^11.0.1up to date
 http^0.20.2.4up to date
 clap=3.0.0-beta.22.33.3up to date
 notify-rust^4.5.04.5.0up to date
 tauri-hotkey^0.1.20.1.2up to date
 open^1.7.01.7.0up to date
 shared_child^0.30.3.5up to date
 os_pipe^0.90.9.2up to date
 minisign-verify^0.1.80.1.8up to date
 image^0.230.23.14insecure
 state^0.40.4.2up to date

Dev dependencies

(7 total, all up-to-date)

CrateRequiredLatestStatus
 proptest^1.0.01.0.0up to date
 serde_json^1.01.0.64up to date
 serde^1.01.0.125up to date
 quickcheck^1.0.31.0.3up to date
 quickcheck_macros^1.0.01.0.0up to date
 tokio-test^0.4.10.4.1up to date
 mockito^0.300.30.0up to date

Build dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 cfg_aliases^0.1.10.1.1up to date

Crate tauri-macros

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 proc-macro2^11.0.26up to date
 quote^11.0.9up to date
 syn^11.0.72up to date

Crate tauri-utils

Dependencies

(10 total, all up-to-date)

CrateRequiredLatestStatus
 serde^1.01.0.125up to date
 serde_json^1.01.0.64up to date
 thiserror^1.0.241.0.24up to date
 phf^0.80.8.0up to date
 zstd^0.80.8.0+zstd.1.4.9up to date
 url^2.22.2.1up to date
 kuchiki^0.80.8.1up to date
 html5ever^0.250.25.1up to date
 proc-macro2^1.01.0.26up to date
 quote^1.01.0.9up to date

Crate tauri-build

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 anyhow^11.0.40up to date
 proc-macro2^11.0.26up to date
 quote^11.0.9up to date

Crate tauri-codegen

Dependencies

(8 total, all up-to-date)

CrateRequiredLatestStatus
 blake3^0.30.3.7up to date
 proc-macro2^11.0.26up to date
 quote^11.0.9up to date
 serde^11.0.125up to date
 serde_json^11.0.64up to date
 thiserror^11.0.24up to date
 walkdir^22.3.2up to date
 zstd^0.80.8.0+zstd.1.4.9up to date

Crate api

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 serde_json^1.01.0.64up to date
 serde^1.01.0.125up to date

Crate helloworld

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 serde_json^1.01.0.64up to date
 serde^1.01.0.125up to date

Crate multiwindow

No external dependencies! 🙌

Crate commands

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 serde_json^1.01.0.64up to date
 serde^1.01.0.125up to date

Crate splashscreen

No external dependencies! 🙌

Crate state

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 serde_json^1.01.0.64up to date
 serde^1.01.0.125up to date

Crate navigation

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 serde_json^1.01.0.64up to date
 serde^1.01.0.125up to date

Crate updater-example

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 serde_json^1.01.0.64up to date
 serde^1.01.0.125up to date

Security Vulnerabilities

tar: Links in archives can overwrite any existing file

RUSTSEC-2018-0002

When unpacking a tarball with the unpack_in-family of functions it's intended that only files within the specified directory are able to be written. Tarballs with hard links or symlinks, however, can be used to overwrite any file on the filesystem.

Tarballs can contain multiple entries for the same file. A tarball which first contains an entry for a hard link or symlink pointing to any file on the filesystem will have the link created, and then afterwards if the same file is listed in the tarball the hard link will be rewritten and any file can be rewritten on the filesystem.

This has been fixed in https://github.com/alexcrichton/tar-rs/pull/156 and is published as tar 0.4.16. Thanks to Max Justicz for discovering this and emailing about the issue!

image: Mutable reference with immutable provenance

RUSTSEC-2020-0073

A mutable reference to a struct was constructed by dereferencing a pointer obtained from slice::as_ptr. Instead, slice::as_mut_ptr should have been called on the mutable slice argument. The former performs an implicit reborrow as an immutable shared reference which does not allow writing through the derived pointer.

There is no evidence for miscompilation, exploitable or otherwise, caused by this bug. Further investigation on Zulip suggests that the unoptimized generated LLVM IR does not contain any UB itself, effectively mitigating further effects.