From 411cf05f31fd87bab6874c4005108dfe72f575f6 Mon Sep 17 00:00:00 2001
From: Seongho Bae
Date: Thu, 2 Jul 2026 15:20:17 +0900
Subject: [PATCH 5/8] fix: update anyhow for RustSec 2026-0190
---
apps/desktop/src-tauri/Cargo.lock | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/apps/desktop/src-tauri/Cargo.lock b/apps/desktop/src-tauri/Cargo.lock
index 4d9ae737..0df254ea 100644
--- a/apps/desktop/src-tauri/Cargo.lock
+++ b/apps/desktop/src-tauri/Cargo.lock
@@ -28,9 +28,9 @@ dependencies = [
[[package]]
name = "anyhow"
-version = "1.0.102"
+version = "1.0.103"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c"
+checksum = "2a4385e2e34eb35d6b3efe798b9eb88096925d87726c0798709bf56d9ed84af3"
[[package]]
name = "atk"
From 3a4524f3b31a8d4dd234814ee731f490a221deb9 Mon Sep 17 00:00:00 2001
From: Seongho Bae
Date: Thu, 2 Jul 2026 19:45:56 +0900
Subject: [PATCH 6/8] fix: document quick-xml advisory exceptions
---
apps/desktop/src-tauri/.cargo/audit.toml | 2 ++
apps/desktop/src-tauri/osv-scanner.toml | 8 ++++++++
docs/security/dependency-policy.md | 1 +
3 files changed, 11 insertions(+)
diff --git a/apps/desktop/src-tauri/.cargo/audit.toml b/apps/desktop/src-tauri/.cargo/audit.toml
index 9fc2a4f3..861e0aa5 100644
--- a/apps/desktop/src-tauri/.cargo/audit.toml
+++ b/apps/desktop/src-tauri/.cargo/audit.toml
@@ -17,4 +17,6 @@ ignore = [
"RUSTSEC-2025-0100", # unic-ucd-ident: unmaintained
"RUSTSEC-2025-0098", # unic-ucd-version: unmaintained
"RUSTSEC-2024-0429", # glib 0.18.5: VariantStrIter unsoundness, transitive via Tauri/wry/webkit2gtk/gtk GTK3 stack; remove when upstream drops or patches the chain
+ "RUSTSEC-2026-0194", # quick-xml 0.39.4: inherited via Tauri/plist and rfd/wayland-scanner; no compatible upstream release has moved both chains to quick-xml >=0.41.0 yet
+ "RUSTSEC-2026-0195", # quick-xml 0.39.4: same owner chain and removal condition as RUSTSEC-2026-0194
]
diff --git a/apps/desktop/src-tauri/osv-scanner.toml b/apps/desktop/src-tauri/osv-scanner.toml
index 16b3b20e..c8fc5e44 100644
--- a/apps/desktop/src-tauri/osv-scanner.toml
+++ b/apps/desktop/src-tauri/osv-scanner.toml
@@ -65,3 +65,11 @@ reason = "Inherited through the current Tauri GTK3 owner chain and already track
[[IgnoredVulns]]
id = "RUSTSEC-2024-0429"
reason = "glib 0.18.5 VariantStrIter advisory inherited through Tauri/wry/webkit2gtk/gtk; allowed only until upstream drops or patches the chain, with scope guarded by scripts/checks/verify_supply_chain.py."
+
+[[IgnoredVulns]]
+id = "RUSTSEC-2026-0194"
+reason = "quick-xml 0.39.4 duplicate-attribute advisory is inherited through Tauri/plist and rfd/wayland-scanner; current compatible upstream crates do not yet allow quick-xml >=0.41.0, and this app does not expose those XML parser paths to untrusted user XML."
+
+[[IgnoredVulns]]
+id = "RUSTSEC-2026-0195"
+reason = "quick-xml 0.39.4 namespace-allocation advisory is inherited through the same Tauri/plist and rfd/wayland-scanner owner chain as RUSTSEC-2026-0194; remove once compatible upstream crates move to quick-xml >=0.41.0."
diff --git a/docs/security/dependency-policy.md b/docs/security/dependency-policy.md
index d3a9680e..d7c7acad 100644
--- a/docs/security/dependency-policy.md
+++ b/docs/security/dependency-policy.md
@@ -104,6 +104,7 @@ Current controlled exceptions:
- No Python vulnerability exceptions are active. `GHSA-5239-wwwm-4pmq` (`Pygments <2.20.0`) was removed by locking `Pygments` to `2.20.0`; the CI `security-audit` workflow must run `pip-audit --local --strict` against the synced `uv` environment without a targeted ignore for that advisory.
- Cargo audit warnings for legacy `gtk3` vulnerabilities (e.g. `RUSTSEC-2024-0413`) inherited through Tauri v2 `wry`/`webkit2gtk` integration are explicitly allowed. These are deep framework dependencies with no alternative, so they are documented exceptions and ignored by default.
- `RUSTSEC-2024-0429` for `glib 0.18.5` is allowed only for the `VariantStrIter` advisory inherited through the Tauri/wry/webkit2gtk/gtk GTK3 stack. A compatible lockfile refresh can move the desktop stack to `tauri 2.11.3`, `wry 0.55.1`, `tao 0.35.3`, `muda 0.19.3`, and related transitive patches, but it still does not move this stack to patched `glib >=0.20.0`; the exception must remain encoded in repo-controlled audit configuration and guarded by `scripts/checks/verify_supply_chain.py`, and it must be removed when upstream drops or patches the chain.
+- `RUSTSEC-2026-0194` and `RUSTSEC-2026-0195` for `quick-xml 0.39.4` are allowed only while the current compatible upstream owner chains still require vulnerable `quick-xml`: `plist 1.9.0` through Tauri, and `wayland-scanner 0.31.10` through Linux `rfd`/Wayland dependencies. `quick-xml >=0.41.0` is patched, but `plist 1.9.0` requires `quick-xml ^0.39.2` and the current `wayland-scanner` release also has no compatible patched path. BandScope does not expose either owner chain as a user-controlled XML ingestion surface; the exception must stay encoded in repo-controlled cargo-audit and OSV configuration, and must be removed once compatible upstream crates publish a patched dependency path.
Retired third-party deprecation and advisory signal:
From ebc297169d258a60b68e26f1dd7e333302256723 Mon Sep 17 00:00:00 2001
From: Seongho Bae
Date: Tue, 7 Jul 2026 11:30:38 +0900
Subject: [PATCH 7/8] chore: re-run required org review workflows
Trigger security-scan and close-empty-pr required workflows on a fresh
head; prior head predated their addition to the develop ruleset.
Co-Authored-By: Claude Opus 4.8
Claude-Session: https://claude.ai/code/session_01RjGVapDZ3k7V7zKYk16P4C
From 59d634194382317df987bfc0cc9895803808dfe8 Mon Sep 17 00:00:00 2001
From: Seongho Bae
Date: Tue, 7 Jul 2026 18:48:16 +0900
Subject: [PATCH 8/8] ci: re-trigger (prior run force-cancelled during runner
jam)
Co-Authored-By: Claude Opus 4.8
Claude-Session: https://claude.ai/code/session_01RjGVapDZ3k7V7zKYk16P4C