Track upstream Tauri GTK4 migration (resolves 12+ unmaintained advisories)

[Salem874]

Background

Identified during the post-#688 security audit (#693).

`cargo audit` currently flags 20 RustSec advisories on transitive dependencies. None are runtime-exploitable in MeedyaDL's threat model, and all 20 are suppressed in deny.toml with documented reachability analysis.

The largest cluster (12 advisories) shares one root cause: Tauri 2.x is still on the GTK3 binding stack on Linux. The gtk-rs maintainers archived GTK3 in favour of gtk4-rs in 2024, so every transitive crate from the chain (`gtk`, `gdk`, `atk`, `webkit2gtk`, `gio`, `glib`, etc.) is now flagged "unmaintained".

The two non-trivial advisories in this cluster are:

• RUSTSEC-2024-0429 — `glib::VariantStrIter` Iterator/DoubleEndedIterator unsoundness (not just unmaintained). Linux-only, not user-reachable from MeedyaDL's code paths.
• RUSTSEC-2025-0057 — `fxhash` (used by `selectors` via the wry HTML/CSS parser).

What this issue tracks

• Watch upstream Tauri's GTK4 migration milestone.
• When Tauri 2.x ships GTK4 support, bump our `tauri` / `wry` dependencies and remove the corresponding `deny.toml` suppressions.
• On every minor Tauri release, re-run `cargo audit` to verify the suppressed list is still scoped to GTK3-chain advisories (no new in-tree exploitable issues hidden behind the suppression).
• Quarterly audit (or when an advisory is updated): confirm reachability analysis still holds.

Suppressed advisories (audit-cleared, no action required individually)

```
RUSTSEC-2024-0411 cairo-rs / gdkwayland-sys — unmaintained
RUSTSEC-2024-0412 cairo-sys-rs / gdk — unmaintained
RUSTSEC-2024-0413 atk — unmaintained
RUSTSEC-2024-0414 gdk / gdkx11-sys — unmaintained
RUSTSEC-2024-0415 gdk-pixbuf / gtk — unmaintained
RUSTSEC-2024-0416 atk-sys — unmaintained
RUSTSEC-2024-0417 gdk-sys / gdkx11 — unmaintained
RUSTSEC-2024-0418 gdk-pixbuf-sys / gdk-sys — unmaintained
RUSTSEC-2024-0419 gio / gtk3-macros — unmaintained
RUSTSEC-2024-0420 glib / gtk-sys — unmaintained
RUSTSEC-2024-0429 glib — VariantStrIter unsoundness (Linux-only)
RUSTSEC-2024-0436 paste — unmaintained (transitive via lofty)
RUSTSEC-2024-0370 proc-macro-error — unmaintained
RUSTSEC-2024-0384 instant — unmaintained
RUSTSEC-2024-0388 derivative — unmaintained
RUSTSEC-2025-0075 unic-char-range — unmaintained
RUSTSEC-2025-0080 unic-common — unmaintained
RUSTSEC-2025-0081 unic-char-property — unmaintained
RUSTSEC-2025-0098 unic-ucd-version — unmaintained
RUSTSEC-2025-0100 unic-ucd-ident — unmaintained
```

All entries in `deny.toml` carry a justification line; please don't strip the comments when removing.

Why this is a tracking-only issue

There is no MeedyaDL-side action available right now — the fix path goes through upstream Tauri. This issue exists so the suppressions don't become invisible / forgotten and so a future contributor knows where to start when Tauri's GTK4 migration lands.

Related: #693

[Salem874]

Tracker status update (2026-05-17):

Still upstream-blocked on Tauri's GTK4 migration. No MeedyaDL-side action.

Current state:

• src-tauri/deny.toml still suppresses the 12+ GTK3-family advisories (gtk, gdk, atk, webkit2gtk, gio, glib, etc.) with documented reachability analysis. Each suppression includes a comment pointing at this tracker.
• cargo deny check advisories runs in the Backend CI job (ci.yml) AND in the new Licences workflow (ci(legal): automate ACKNOWLEDGEMENTS / THIRD_PARTY_LICENSES drift + upstream-licence-change check on every PR #806, shipped this cycle) — so the suppressions are continuously verified.

No upstream movement that would change MeedyaDL's posture:

• Tauri 2.x is still on GTK3 on Linux.
• The gtk-rs maintainers haven't unarchived GTK3 nor offered a migration path that bypasses the upstream Tauri dependency.

Next check-in trigger: when Tauri ships a release notes line mentioning GTK4 or when one of the advisory IDs is upgraded from "unmaintained" to "vulnerable". Until then this is informational.

Keeping open as the tracker.

[Salem874]

v1.7 audit (2026-05-18) — quarterly check

Still no Tauri GTK4 migration in upstream's roadmap as of today (verified via `tauri-apps/tauri` recent commits and the v2.x milestone). The 12 suppressed advisories in `src-tauri/deny.toml` remain scoped to GTK3-chain unmaintained warnings + the documented reachability analysis still holds (zero MeedyaDL code paths reach the affected APIs).

No action needed from v1.7. This issue stays open as the ongoing quarterly-audit tracker. Next checkpoint: when upstream Tauri ships any GTK4-related milestone, or at the next quarterly security audit (2026-08).

[Salem874]

Quarterly checkpoint (2026-05-18)

Re-ran the audit per the v1.7 plan. No movement upstream.

Tauri GTK4 migration status (online check)

• `tauri-apps/tauri#7335` — [feat] Migrate to GTK4 — OPEN, last activity 2026-03-03 (still no concrete merge date).
• `tauri-apps/tauri#12563` Upgrade `tauri` to `gtk4-rs` — OPEN
• `tauri-apps/tauri#12562` Upgrade `tauri-runtime` to `gtk4-rs` — OPEN
• `tauri-apps/tauri#12561` Upgrade `tauri-runtime-wry` to `gtk4-rs` — OPEN

MeedyaDL `cargo audit` snapshot

`cargo audit` still surfaces the documented GTK3-chain unmaintained cluster (atk / gtk / gdk-pixbuf / gdkx11 / cairo-rs / webkit2gtk / etc., all v0.18.x). All scoped to the same root cause and all already documented in `deny.toml` with reachability analysis. No new in-tree exploitable advisories hidden by the suppression set.

Action

None. Quarterly tracker continues. Next checkpoint: 2026-08 or whenever PR #12563/#12562/#12561 trio merges upstream.

Issue stays open.

[Salem874]

📋 Quarterly cargo-audit re-run — 2026-05-24

Per the tracker's third checklist item: re-ran `cargo audit` and reconciled with `src-tauri/deny.toml`.

State of the audit

• Vulnerabilities (unsuppressed): 0 ✓
• Total advisories under `warnings.*`: 20 — exactly matches the 20 IDs ignored in `deny.toml` (no drift in scope)
• Tauri version: still on the GTK3 binding stack (gtk 0.18.2, gdk 0.18.2, webkit2gtk 2.0.2, etc.) — no GTK4 migration upstream yet
• All 20 advisories remain GTK3-chain unmaintained warnings or unsoundness with documented non-reachability. None became exploitable since the last review.

Drift fix landed — commit `30e9c2ff`

While the suppression IDs are unchanged, eight of the GTK3-chain comments in `deny.toml` had drifted from the actual upstream advisory subjects. The advisory IDs are canonical; the package-name annotations on the right-hand side are documentation. Re-synced based on `cargo audit 0.22.1` output (2026-05-24):

RUSTSEC ID	Was (in deny.toml)	Now (upstream)
2024-0411	cairo-rs	gdkwayland-sys
2024-0412	cairo-sys-rs	gdk
2024-0414	gdk	gdkx11-sys
2024-0415	gdk-pixbuf	gtk
2024-0417	gdk-sys	gdkx11
2024-0418	gdk-pixbuf-sys	gdk-sys
2024-0419	gio	gtk3-macros
2024-0420	glib	gtk-sys

The previous attributions are preserved in parens (`(was: X)`) for forensic grep-ability.

The other 12 suppressions (`proc-macro-error`, `instant`, `derivative`, `unic-*`, `paste`, `glib` unsoundness 2024-0429) still match their upstream subjects exactly — untouched.

`cargo deny check advisories` result

advisories ok

One `advisory-not-detected` warning for RUSTSEC-2024-0429 — that's expected on macOS (glib is Linux-only); the suppression is still load-bearing for Linux CI.

Tracker status

• Watch upstream Tauri's GTK4 migration milestone. → No change. Tauri 2.11.x is the current line and is still on GTK3. The Tauri team's v3 alpha planning thread mentions GTK4 but no concrete milestone yet.
• When Tauri 2.x ships GTK4 support, bump our `tauri` / `wry` dependencies and remove the corresponding `deny.toml` suppressions. → Blocked on upstream.
• On every minor Tauri release, re-run `cargo audit`. → Done today. Set the next reminder for the next Tauri 2.x minor (or in 90 days, whichever comes first).
• Quarterly audit. → Done today, 2026-05-24. Next review: 2026-08-24.

This is a long-running tracker issue; leaving it open. The next cargo-audit re-run is scheduled for 2026-08-24 (90 days) or the next Tauri minor release, whichever lands first.

[Salem874]

📋 Quarterly re-audit — 2026-05-25

Per the tracker's "On every minor Tauri release, re-run `cargo audit`" + "Quarterly audit" boxes: ran the full audit + checked the Tauri ecosystem version state.

Audit state

• Vulnerabilities (unsuppressed): 0 ✓
• Total advisories under `warnings.*`: 20 — identical set to the 2026-05-24 audit (commit `30e9c2ff`)
• All 20 IDs in `deny.toml` still match what `cargo audit` emits, byte-for-byte
• `cargo deny check advisories` clean (`advisories ok`)
• No new vulnerabilities, no scope drift.

Tauri ecosystem versions (still on GTK3)

Crate	Version	Stack
`tauri`	2.11.2 (latest, released 2026-05-16)	GTK3
`wry`	0.55.1	GTK3
`gtk`	0.18.2	GTK3
`webkit2gtk`	2.0.2	GTK3

The Tauri team's GTK4 migration is still in flight. As of this audit there are five open issues on the Tauri repo tracking it:

• tauri-apps/tauri#7335 — [feat] Migrate to GTK4
• tauri-apps/tauri#14684 — feat(linux): migrate to GTK4 and WebKitGTK 6.0
• tauri-apps/tauri#12561 — Upgrade tauri-runtime-wry to gtk4-rs
• tauri-apps/tauri#12562 — Upgrade tauri-runtime to gtk4-rs
• tauri-apps/tauri#12563 — Upgrade tauri to gtk4-rs

None of these are merged yet, so MeedyaDL's GTK3 binding chain (and the 12 unmaintained advisories it carries) remains the only viable path until upstream ships.

Tracker checklist

• Watch upstream Tauri's GTK4 migration milestone — re-checked today; 5 issues still open, no merged PR.
• When Tauri 2.x ships GTK4 support, bump `tauri` / `wry` dependencies and remove the corresponding `deny.toml` suppressions. — Blocked on upstream.
• On every minor Tauri release, re-run `cargo audit` — done today (Tauri minor 2.11 → 2.11.2 patch only, no new advisories).
• Quarterly audit (or when an advisory is updated): confirm reachability analysis still holds. — done today, all 20 reachability rationales in `deny.toml` still apply.

Next review: 2026-08-25 (90 days) OR the next Tauri 2.x minor release, whichever lands first.

This is a long-running tracker issue; leaving it open. No code changes this round — the suppressions are correctly scoped and the comments are still in sync after the 2026-05-24 refresh (`30e9c2ff`).