Security: cargo audit reports unmaintained dependencies in Tauri ecosystem #88
Description
Summary
cargo audit reports 7 warnings for unmaintained crates in the Tauri dependency tree. All are transitive dependencies - not directly controlled by this project.
Advisory Details
| Crate | Advisory | Status |
|---|---|---|
fxhash 0.2.1 |
RUSTSEC-2025-0057 | Unmaintained |
proc-macro-error 1.0.4 |
RUSTSEC-2024-0370 | Unmaintained |
unic-char-property 0.9.0 |
RUSTSEC-2025-0081 | Unmaintained |
unic-char-range 0.9.0 |
RUSTSEC-2025-0075 | Unmaintained |
unic-common 0.9.0 |
RUSTSEC-2025-0080 | Unmaintained |
unic-ucd-ident 0.9.0 |
RUSTSEC-2025-0100 | Unmaintained |
unic-ucd-version 0.9.0 |
RUSTSEC-2025-0098 | Unmaintained |
Dependency Trees
fxhash
fxhash 0.2.1
└── selectors 0.24.0
└── kuchikiki 0.8.8-speedreader
└── wry 0.53.5
└── tauri-runtime-wry → tauri
proc-macro-error
proc-macro-error 1.0.4
├── gtk3-macros 0.18.2
│ └── gtk 0.18.2 → wry → tauri
└── glib-macros 0.18.5
└── glib 0.18.5 → gtk/webkit/gio
unic-* crates
unic-* crates
└── unic-ucd-ident 0.9.0
└── urlpattern 0.3.0
└── tauri-utils 2.8.1
└── tauri
Impact
- All warnings are for unmaintained crates, not active security vulnerabilities
- All are transitive dependencies from Tauri ecosystem (wry, webkit2gtk, tauri-utils)
- We cannot directly update these - they need to be addressed upstream by Tauri maintainers
- No immediate security risk - "unmaintained" means no new features/bugfixes, not that they're exploitable
Recommended Actions
- Monitor Tauri releases for updates that address these dependencies
- Update Tauri when new versions are available:
cargo update tauri - Track upstream issues:
- Check tauri-apps/tauri for related discussions
Risk Assessment
- Low priority - These are "unmaintained" warnings, not active vulnerabilities
- Cannot be fixed directly - requires upstream Tauri updates
- Re-run
cargo auditperiodically to check for resolution