Watch for Tauri 3.x release to re-open GHSA-wrw7-89jp-8q8g (glib <0.20 unsoundness)

[AlienResidents]

Context

Dependabot alert #1
(GHSA-wrw7-89jp-8q8g — glib < 0.20.0 VariantStrIter unsoundness) was
dismissed on 2026-06-12 with reason tolerable_risk. The full rationale,
dependency chain, and reachability analysis live in
SECURITY.md#ghsa-wrw7-89jp-8q8g.

The dismissal explicitly recorded a re-evaluation trigger: when Tauri
3.x ships with the gtk4 + webkit6 + non-libappindicator-gtk3 stack,
this advisory becomes fixable via a single dependency bump. This
issue exists to make sure we notice when that day arrives.

What we're watching for

• A stable Tauri 3.x release on crates.io (cargo search tauri showing
  tauri >= 3.0.0 as max_stable_version).
• The gtk4 migration tracker resolving:
  • [feat] Migrate to GTK4 tauri-apps/tauri#7335 — [feat] Migrate to GTK4
  • feat(linux): migrate to GTK4 and WebKitGTK 6.0 tauri-apps/tauri#14684 — feat(linux): migrate to GTK4 and WebKitGTK 6.0
  • Upgrade tauri-runtime-wry to gtk4-rs tauri-apps/tauri#12561 — Upgrade tauri-runtime-wry to gtk4-rs
  • Upgrade tauri-runtime to gtk4-rs tauri-apps/tauri#12562 — Upgrade tauri-runtime to gtk4-rs
  • Upgrade tauri to gtk4-rs tauri-apps/tauri#12563 — Upgrade tauri to gtk4-rs
  • Upgrade wry to gtk4-rs and webkit6 tauri-apps/wry#1474 — Upgrade wry to gtk4-rs and webkit6
  • fix(linux): Port to webkitgtk6 tauri-apps/wry#1530 — fix(linux): Port to webkitgtk6
• Dependabot opening a tauri 3.x PR on this repo (the tauri crate
  is already monitored).

Action when the trigger fires

1. Verify on a worktree:

   • cargo update -p tauri to the 3.x line (likely needs other
     @tauri-apps/* plugin bumps in lockstep).
   • cargo tree -i glib should now show glib >= 0.20.x and the
     gtk-3 transitive chain (atk, gtk 0.18, libappindicator)
     should be gone or replaced.
   • Build a .deb locally and confirm the tray, webview, and
     pnpm tauri build --bundles deb all still work.

2. Update SECURITY.md:

   • Move the GHSA-wrw7-89jp-8q8g entry from "Dismissed advisories"
     to a new "Resolved advisories" section (or delete; we keep it as
     audit trail).
   • Note the Tauri version that fixed it.

3. Re-open Dependabot alert Watch for Tauri 3.x release to re-open GHSA-wrw7-89jp-8q8g (glib <0.20 unsoundness) #1 via the API:

   gh api --method PATCH /repos/AlienResidents/cronaut/dependabot/alerts/1 \
     -f state=open

   Then let Dependabot's daily scan close it as "fixed" once the
   updated Cargo.lock is on main. (Re-opening manually before
   merging the bump avoids the dismissal lingering after the actual
   fix lands.)

4. Close this issue.

What does NOT trigger this issue

• A Tauri 2.x point release that bumps wry / tao / tray-icon but
  stays on gtk ^0.18. Those are still bound to glib 0.18.x and
  cannot pull in the fix. The whole stack has to move to gtk4.
• A new fork or [patch.crates-io] advice from the community. The
  dismissal explicitly excluded that route — see SECURITY.md for why.
• A separate glib advisory reachable through a different dep path.
  Per SECURITY.md: "Any future glib advisory, or a glib advisory
  reachable via a different path, must be re-triaged from scratch."

Suggested check cadence

Quarterly. The migration has been open for ~12+ months and the latest
upstream activity (as of dismissal) is community-fork PRs against
tauri#14684, not maintainer merges — there is no near-term ETA.