Skip to content

Resolve the remaining dependency security alerts #166

Description

@ApocDev

GitHub currently reports six open Dependabot alerts across the app, documentation site, and desktop shell. The production-versus-development audit does not justify treating them as near-term product work.

Verified scope

  • Four alerts come from docs/pnpm-lock.yaml: Vite 5.4.21 and esbuild 0.21.5 development-server behavior. These packages build and locally serve the documentation site; they are not included in the PyOps desktop application.
  • The app esbuild advisory resolves through drizzle-kit CLI dependencies. PyOps runtime provisioning explicitly uses checked-in migrations without importing drizzle-kit, and no app runtime code invokes esbuild's vulnerable development server API.
  • glib 0.18.5 is part of Tauri's Linux GTK/WebKit dependency tree and therefore is compiled into Linux desktop builds. However, the advisory is limited to VariantStrIter; repository and dependency-source searches find no use of array_iter_str/VariantStrIter outside glib's own implementation and tests. Tauri's own current audit configuration explicitly suppresses RUSTSEC-2024-0429 because fixing it requires the upstream GTK4 transition.

Priority decision

Defer this as routine toolchain maintenance. Re-evaluate sooner only if PyOps begins using the affected glib iterator, Tauri adopts GTK4/a patched glib, or a new alert affects an exercised packaged-runtime path.

Later cleanup plan

  1. Upgrade the docs Vite/VitePress/Vite+ dependency set to mutually compatible patched versions.
  2. Refresh or dismiss the app esbuild alert with the recorded dependency-path and runtime-use evidence.
  3. Adopt the patched glib dependency when Tauri's supported Linux stack permits it; until then, keep the upstream suppression rationale documented.
  4. Run app, docs, and Rust/Tauri checks for any changed lockfiles and verify GitHub's remaining alerts all have explicit dispositions.

Done when

Every current alert is either fixed by a verified dependency update or dismissed with a precise repository-specific reason, without incompatible blanket overrides.

Part of #89.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: webWeb UI (React/TanStack/vite-plus)

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions