GitHub currently reports six open Dependabot alerts across the app, documentation site, and desktop shell. The production-versus-development audit does not justify treating them as near-term product work.
Verified scope
- Four alerts come from
docs/pnpm-lock.yaml: Vite 5.4.21 and esbuild 0.21.5 development-server behavior. These packages build and locally serve the documentation site; they are not included in the PyOps desktop application.
- The app esbuild advisory resolves through
drizzle-kit CLI dependencies. PyOps runtime provisioning explicitly uses checked-in migrations without importing drizzle-kit, and no app runtime code invokes esbuild's vulnerable development server API.
glib 0.18.5 is part of Tauri's Linux GTK/WebKit dependency tree and therefore is compiled into Linux desktop builds. However, the advisory is limited to VariantStrIter; repository and dependency-source searches find no use of array_iter_str/VariantStrIter outside glib's own implementation and tests. Tauri's own current audit configuration explicitly suppresses RUSTSEC-2024-0429 because fixing it requires the upstream GTK4 transition.
Priority decision
Defer this as routine toolchain maintenance. Re-evaluate sooner only if PyOps begins using the affected glib iterator, Tauri adopts GTK4/a patched glib, or a new alert affects an exercised packaged-runtime path.
Later cleanup plan
- Upgrade the docs Vite/VitePress/Vite+ dependency set to mutually compatible patched versions.
- Refresh or dismiss the app esbuild alert with the recorded dependency-path and runtime-use evidence.
- Adopt the patched glib dependency when Tauri's supported Linux stack permits it; until then, keep the upstream suppression rationale documented.
- Run app, docs, and Rust/Tauri checks for any changed lockfiles and verify GitHub's remaining alerts all have explicit dispositions.
Done when
Every current alert is either fixed by a verified dependency update or dismissed with a precise repository-specific reason, without incompatible blanket overrides.
Part of #89.
GitHub currently reports six open Dependabot alerts across the app, documentation site, and desktop shell. The production-versus-development audit does not justify treating them as near-term product work.
Verified scope
docs/pnpm-lock.yaml: Vite 5.4.21 and esbuild 0.21.5 development-server behavior. These packages build and locally serve the documentation site; they are not included in the PyOps desktop application.drizzle-kitCLI dependencies. PyOps runtime provisioning explicitly uses checked-in migrations without importingdrizzle-kit, and no app runtime code invokes esbuild's vulnerable development server API.glib 0.18.5is part of Tauri's Linux GTK/WebKit dependency tree and therefore is compiled into Linux desktop builds. However, the advisory is limited toVariantStrIter; repository and dependency-source searches find no use ofarray_iter_str/VariantStrIteroutside glib's own implementation and tests. Tauri's own current audit configuration explicitly suppresses RUSTSEC-2024-0429 because fixing it requires the upstream GTK4 transition.Priority decision
Defer this as routine toolchain maintenance. Re-evaluate sooner only if PyOps begins using the affected glib iterator, Tauri adopts GTK4/a patched glib, or a new alert affects an exercised packaged-runtime path.
Later cleanup plan
Done when
Every current alert is either fixed by a verified dependency update or dismissed with a precise repository-specific reason, without incompatible blanket overrides.
Part of #89.