Skip to content

Track glib advisory blocked by Tauri GTK dependency chain #280

Open
Open
Track glib advisory blocked by Tauri GTK dependency chain#280
@meiiie

Description

@meiiie
meiiie
opened on May 10, 2026

Problem

GitHub Dependabot alert #19 reports glib <0.20.0 as a medium severity advisory.

Current state

  • cargo update -p tauri --precise 2.11.1 succeeds and resolves the Tauri advisory path.
  • cargo update -p glib --precise 0.20.0 fails because gtk v0.18.2, pulled transitively by auri v2.11.1, requires glib = ^0.18.
  • cargo tree --target all -i glib shows the Linux GTK/WebKit/tray-icon path as the source.

Acceptance criteria

  • Re-evaluate when Tauri/Wry/GTK stack exposes a compatible glib >=0.20.0 path, or when the advisory can be scoped/suppressed with a documented target-platform rationale.
  • Do not force a [patch] or incompatible direct dependency override that leaves two glib versions or breaks Linux builds.

Verification already run

  • cargo update -p glib --precise 0.20.0 failed with resolver error requiring glib ^0.18 from gtk v0.18.2.
  • cargo tree --target all -i glib captured the dependency chain.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions