You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
v3.0.4 is a small but meaningful maintenance release. There are no product changes, no UI changes, and no request-policy changes - this one exists purely to clear open security alerts and to get the tag-driven Windows installer build running again.
What actually changed
Dependabot security alerts resolved. Two transitive Rust dependencies were bumped to clear upstream advisories:
rustls-webpki → 0.103.12
rand → 0.9.3
Dependabot config, take two. The multi-ecosystem config I tried to set up in the v3.0.3 cycle was technically invalid and Dependabot quietly ignored it. It's now a valid version: 2 setup covering cargo, npm (desktop), and github-actions under one weekly batch, so the whole dependency tree is under a single review cadence again.
Release workflow unblocked. The repo now enforces allowed_actions: selected together with sha_pinning_required: true. Two third-party GitHub Actions that previously lived in the release path were not on the allow-list and caused the tag-triggered workflow to fail at startup with zero jobs scheduled:
dtolnay/rust-toolchain → replaced with a direct rustup toolchain install stable --profile minimal
softprops/action-gh-release → replaced with the preinstalled gh release create / gh release upload CLI, authenticated via the built-in GITHUB_TOKEN
Net result: zero third-party actions remain on the Windows installer release path. The only actions in play now are actions/checkout, actions/setup-node, and actions/upload-artifact, all pinned by commit SHA.
What this means for users
If you're running v3.0.3, there is nothing in v3.0.4 that forces an upgrade from a feature standpoint. But:
if you care about the dependency security posture, v3.0.4 is the clean baseline going forward
if you're pulling the Windows installer from GitHub Releases, v3.0.4 is the first release under the stricter "zero third-party actions on the release path" policy
What I'd love feedback on
did the v3.0.4 installer land cleanly on your Windows machine?
did the .sha256 checksum file match what you got from the .exe?
anything that regressed against v3.0.3 for you?
Thanks for using Fuseprobe 🙌 - the next release line will get back to product work.
Notes
no product-scope changes
no security-policy changes on the desktop request path
no UI or localization changes
the Windows installer remains unsigned and the Windows x64 NSIS setup executable is still the canonical distribution artifact
Security Review
rustls-webpki was bumped through the Cargo security-updates group to clear the upstream advisory reported by Dependabot for the Rust dependency tree
rand was bumped as a companion transitive update so the rustls/quinn path stays on a coherent dependency set
pinning CI and release actions by commit SHA closes the remaining "floating action ref" finding that was left open after the v3.0.3 release notes were written but before the pinning commit actually landed
the Rust toolchain bootstrap step no longer depends on a third-party action allow-list entry, which removes an external trust point from the Windows installer build path
CI Fix
The previous tag-triggered Release Desktop run was blocked at workflow startup because the repository enforces allowed_actions: selected plus sha_pinning_required: true, and two third-party actions (dtolnay/rust-toolchain and softprops/action-gh-release) were not on the allow-list under that policy. Both actions are now gone from the release path:
Rust toolchain setup runs rustup directly instead of the third-party action
release asset creation and upload now use the gh release create / gh release upload CLI that ships preinstalled on GitHub runners, authenticated with the built-in GITHUB_TOKEN
This keeps the Windows installer build reproducible with zero third-party actions on the release path.
Local Verification
The release candidate was verified locally before tagging with:
For Windows users, the intended delivery path is the release *-setup.exe asset attached to the GitHub Release, plus the matching *.sha256 file when published.
Maintainer Verification
Before treating v3.0.4 as shipped:
confirm the Release Desktop workflow triggered by the v3.0.4 tag completes successfully on GitHub Actions
confirm the GitHub Release contains the expected Fuseprobe_3.0.4_x64-setup.exe asset
confirm the release also contains the matching Fuseprobe_3.0.4_x64-setup.exe.sha256 asset
download the installer and checksum onto a clean Windows machine
verify the checksum matches before launch
run the installer and launch Fuseprobe from the installed shortcut or Start menu entry
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Fuseprobe v3.0.4 - CI & Security Maintenance Release
Hey everyone 👋
v3.0.4 is a small but meaningful maintenance release. There are no product changes, no UI changes, and no request-policy changes - this one exists purely to clear open security alerts and to get the tag-driven Windows installer build running again.
What actually changed
Dependabot security alerts resolved. Two transitive Rust dependencies were bumped to clear upstream advisories:
rustls-webpki → 0.103.12
rand → 0.9.3
Dependabot config, take two. The multi-ecosystem config I tried to set up in the v3.0.3 cycle was technically invalid and Dependabot quietly ignored it. It's now a valid version: 2 setup covering cargo, npm (desktop), and github-actions under one weekly batch, so the whole dependency tree is under a single review cadence again.
Release workflow unblocked. The repo now enforces allowed_actions: selected together with sha_pinning_required: true. Two third-party GitHub Actions that previously lived in the release path were not on the allow-list and caused the tag-triggered workflow to fail at startup with zero jobs scheduled:
dtolnay/rust-toolchain → replaced with a direct rustup toolchain install stable --profile minimal
softprops/action-gh-release → replaced with the preinstalled gh release create / gh release upload CLI, authenticated via the built-in GITHUB_TOKEN
Net result: zero third-party actions remain on the Windows installer release path. The only actions in play now are actions/checkout, actions/setup-node, and actions/upload-artifact, all pinned by commit SHA.
What this means for users
If you're running v3.0.3, there is nothing in v3.0.4 that forces an upgrade from a feature standpoint. But:
if you care about the dependency security posture, v3.0.4 is the clean baseline going forward
if you're pulling the Windows installer from GitHub Releases, v3.0.4 is the first release under the stricter "zero third-party actions on the release path" policy
What I'd love feedback on
did the v3.0.4 installer land cleanly on your Windows machine?
did the .sha256 checksum file match what you got from the .exe?
anything that regressed against v3.0.3 for you?
Thanks for using Fuseprobe 🙌 - the next release line will get back to product work.
Notes
Security Review
rustls-webpkiwas bumped through the Cargosecurity-updatesgroup to clear the upstream advisory reported by Dependabot for the Rust dependency treerandwas bumped as a companion transitive update so therustls/quinnpath stays on a coherent dependency setv3.0.3release notes were written but before the pinning commit actually landedCI Fix
The previous tag-triggered
Release Desktoprun was blocked at workflow startup because the repository enforcesallowed_actions: selectedplussha_pinning_required: true, and two third-party actions (dtolnay/rust-toolchainandsoftprops/action-gh-release) were not on the allow-list under that policy. Both actions are now gone from the release path:rustupdirectly instead of the third-party actiongh release create/gh release uploadCLI that ships preinstalled on GitHub runners, authenticated with the built-inGITHUB_TOKENThis keeps the Windows installer build reproducible with zero third-party actions on the release path.
Local Verification
The release candidate was verified locally before tagging with:
npm --prefix apps/desktop test -- --runnpm --prefix apps/desktop run buildcargo testnpm --prefix apps/desktop run tauri:buildLocal package artifact:
target/release/bundle/nsis/Fuseprobe_3.0.4_x64-setup.exeInstall Note
For Windows users, the intended delivery path is the release
*-setup.exeasset attached to the GitHub Release, plus the matching*.sha256file when published.Maintainer Verification
Before treating
v3.0.4as shipped:Release Desktopworkflow triggered by thev3.0.4tag completes successfully on GitHub ActionsFuseprobe_3.0.4_x64-setup.exeassetFuseprobe_3.0.4_x64-setup.exe.sha256asset3.0.4Beta Was this translation helpful? Give feedback.
All reactions