chore(deps): update NAPI to v3

[Legend-Master]

Closes #913
Closes #914
Closes #970

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	cargo/​napi@​2.16.17 ⏵ 3.9.2	-18
	npm/​@​napi-rs/​cli@​3.7.2
	cargo/​napi-build@​2.3.1 ⏵ 2.3.2
	cargo/​napi-derive@​2.16.13 ⏵ 3.5.6	+2

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: cargo libc is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → cargo/rust-embed@8.7.2 → cargo/ctrlc@3.4.7 → cargo/whoami@1.6.1 → cargo/dialoguer@0.12.0 → cargo/libc@0.2.186 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/libc@0.2.186. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm js-yaml is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/@napi-rs/cli@3.7.2 → npm/js-yaml@4.2.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@4.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[github-actions]

Package Changes Through 4ff8dae

There are 2 changes which include create-tauri-app with patch, create-tauri-app-js with patch

Planned Package Versions

The following package releases are the planned based on the context of changes in this pull request.

package	current	next
create-tauri-app	4.7.1	4.7.2
create-tauri-app-js	4.7.1	4.7.2

Add another change file through the GitHub UI by following this link.

---

Read about change files or the docs at github.com/jbolda/covector

[FabianLars]

in tauri we reverted back to 3.0 but can't remember why

[Legend-Master]

The revert happened in tauri-apps/tauri#15310, I don't quite get what lucas meant though

[FabianLars]

ah yeah. The docker containers have rust versions that are too old for napi 3.5+ since they raised the msrv to 1.88
That's honestly quite stupid considering that the containers are also provided by the napi team 🙃

we could switch containers or build our own but i don't think it's worth the trouble. i sure hope they'll update them soon but then again the issue is open since march last year...

[Legend-Master]

It seems like their demo project no longer uses the docker to build anymore, I could try switching to that tomorrow.

And another thing, it seems like if we're using NAPI 3, the rust-version must be bumped to 1.81 for 3.0.0 and 1.88 for current latest. Considering we were publishing through latest stable rust, it should be fine to bump?

[FabianLars]

It seems like their demo project no longer uses the docker to build anymore,

Ahh they're using zigbuild for musl as well. I actually meant to use that for the gnu builds (in tauri as well) a while ago because of github's high glibc version.

I could try switching to that tomorrow.

Maybe after the next release? I'd like to have a working version first before we start with experiments :D

And another thing, it seems like if we're using NAPI 3, the rust-version must be bumped to 1.81 for 3.0.0 and 1.88 for current latest. Considering we were publishing through latest stable rust, it should be fine to bump?

Yes, if we do not use their docker containers anymore it's fine since this is not the main crate.

[Legend-Master]

It seems like we even had setup-zig in our workflow just didn't use cargo-zigbuild. I'm gonna trigger the new release now, this one can wait.

[Legend-Master]

Well, that didn't really work either 🤦‍♂️

https://github.com/tauri-apps/create-tauri-app/actions/runs/27731906882/job/82040606785

[Legend-Master]

Good run at https://github.com/tauri-apps/create-tauri-app/actions/runs/27732451611

[FabianLars]

Are we using something that wasn't part of the 3.0.0 packages? Maybe it makes sense to write the current latest versions in cargo.toml/package.json just to be safe?

Don't care too much about it so approved either way

[Legend-Master]

I don't think we do, the code were not even different from v2