[bug] Tauri 2.1.1 & 1.8.1 is affected by glib-rs 0.15 security vulnerability

[ilyagr]

Describe the bug

The tauri 1.8.1 Rust package currently requires [email protected] on Linux, but versions of glib (the Rust bindings) >=0.15 and <0.20 are affected by GHSA-wrw7-89jp-8q8g . I believe (but am not sure) that the nightly version of Tauri 1 probably depends on [email protected], which is also bad.

GitHub informed me about this in https://github.com/ilyagr/diffedit3/security/dependabot/10.

Reproduction

No response

Expected behavior

It'd be great if there was a tauri 1.18.2 that could work with glib 0.20 :)

Full tauri info output

N/A

Stack trace

No response

Additional context

No response

[FabianLars]

Since the gtk3 bindings are unmaintained I think this is a wontfix sadly. (We don't use glib directly ourselves)

[ilyagr]

If the gtk3 bindings are never made compatible with glib 0.20, another option might be to downgrade to gtk 0.14.3. Unless, of course, another security bug appears that affects older versions of some gtk dependency...

[ilyagr]

Actually, Tauri 2.1.1 also seems affected. It seems to be using gtk v0.18.2 which seems to depend on glib v0.18. I'm surprised it's not showing up in the Security tab of this repo; I guess you didn't enable dependency-based security warning.

Cc: #7335

[FabianLars]

We do see them in the Security tab, but only those with repo access can see that (afaik github doesn't allow us to make this public?).
And I think there's no gh issue because this is still not resolved: rustsec/audit-check#8

I doubt anyone in the community would be interested in forking the gtk3 bindings so i'll close this in favor of #7335 (but only because this unsound issue doesn't seem to affect us)