Skip to content

chore: bump all dependencies to latest versions#31

Open
reatlat wants to merge 1 commit intoaptabase:mainfrom
freshjuice-dev:chore/bump-all-dependencies
Open

chore: bump all dependencies to latest versions#31
reatlat wants to merge 1 commit intoaptabase:mainfrom
freshjuice-dev:chore/bump-all-dependencies

Conversation

@reatlat
Copy link

@reatlat reatlat commented Feb 8, 2026

Summary

Update all Rust and JavaScript dependencies to their latest versions. Keeping dependencies current is critical for security, stability, and compatibility.

Security Fixes Included

RUSTSEC-2025-0023 — tokio (memory corruption)

  • Affected: tokio 1.43.0 (our old version)
  • Fixed in: >= 1.43.1
  • Impact: The broadcast channel internally calls clone() on stored values requiring only T: Send but not T: Sync. This is unsound because clone implementations for !Sync types can trigger undefined behavior and memory corruption when called from multiple threads.
  • Upgrade: 1.43.0 → 1.49.0

Tauri use-after-free unsoundness (v2.3.0)

  • Affected: tauri < 2.3.0 (our old 2.2.5)
  • Impact: Manager::unmanage could result in a use-after-free / dangling pointer when retaining a reference to managed state while calling unmanage(). The method has been deprecated and replaced with a safe alternative.
  • Upgrade: 2.2.5 → 2.10.2

Tauri security hardening (v2.4.0–v2.10.2)

  • v2.4.0: Added build > removeUnusedCommands to strip unused IPC commands at compile time, reducing attack surface
  • v2.6.0: Callbacks now register within window.__TAURI_INTERNALS__.callbacks instead of directly on window, reducing exposure surface
  • v2.7.0: Fixed isolation pattern creating iframes within iframes on Windows, which could affect the security boundary

reqwest — TLS security improvement

  • Upgrade: 0.12.12 → 0.13.2
  • reqwest v0.13 defaults to rustls instead of native-tls, avoiding the attack surface of C-based TLS libraries (OpenSSL). This is a meaningful security posture improvement.

All Updates

Rust (Cargo.toml)

Package Old New
tauri 2.2.5 2.10.2
tauri-plugin 2.0.4 2.5.3
tokio 1.43.0 1.49.0
serde 1.0.217 1.0.228
serde_json 1.0.138 1.0.149
reqwest 0.12.12 0.13.2
time 0.3.37 0.3.47
os_info 3.9.2 3.14.0
rand 0.9.0 0.10.0
log 0.4.25 0.4.29

JavaScript (package.json)

Package Old New
@tauri-apps/api ^2.1.1 ^2.10.1
@rollup/plugin-node-resolve ^15.3.0 ^16.0.3
@rollup/plugin-typescript ^12.1.1 ^12.3.0
rollup ^4.27.4 ^4.57.1
typescript ^5.7.2 ^5.9.3

Example project

All dependencies bumped to latest (tauri, svelte, vite, etc.)

Code Changes

Minimal code change required by rand 0.10.0 API: use rand::Rnguse rand::RngExt (trait was renamed).

Testing

  • cargo check passes with zero errors
  • ✅ All dependency versions verified against crates.io and npm registry

@reatlat
chore: bump all dependencies to latest versions
bd0ae6d 
Rust:
- tauri 2.2.5 → 2.10.2
- tauri-plugin 2.0.4 → 2.5.3
- tokio 1.43.0 → 1.49.0
- serde 1.0.217 → 1.0.228
- serde_json 1.0.138 → 1.0.149
- reqwest 0.12.12 → 0.13.2
- time 0.3.37 → 0.3.47
- os_info 3.9.2 → 3.14.0
- rand 0.9.0 → 0.10.0
- log 0.4.25 → 0.4.29

JavaScript:
- @tauri-apps/api ^2.1.1 → ^2.10.1
- @rollup/plugin-node-resolve ^15.3.0 → ^16.0.3
- @rollup/plugin-typescript ^12.1.1 → ^12.3.0
- rollup ^4.27.4 → ^4.57.1
- typescript ^5.7.2 → ^5.9.3

Example project dependencies updated to latest as well.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@reatlat

Comments