[Bug]: Track upstream fix for vulnerable glib dependency in the Tauri Linux stack

[yandy-r]

Migrated from issue yandy-r/crosshook#26
Originally opened by @yandy-r on 2026-03-25T01:42:00Z
Original state: open

---

Duplicate Check

• I have searched existing issues and this bug has not been reported.

Component

Build / Packaging

Platform

Linux (other distro)

Proton / WINE Version

N/A

CrossHook Version

5926d6a

Bug Description

GitHub Dependabot alert #1 is open for glib in src/crosshook-native/Cargo.lock.

• Advisory: GHSA-wrw7-89jp-8q8g
• Affected crate: glib
• Vulnerable range: >= 0.15.0, < 0.20.0
• First patched version: 0.20.0
• Alert URL: https://github.com/yandy-r/crosshook/security/dependabot/1

Current analysis shows this repository cannot patch glib directly without an upstream dependency-chain change.

Observed dependency path:

• tauri v2.10.3
• gtk v0.18.2
• glib ^0.18 (currently locked to glib v0.18.5)

A direct update attempt fails because gtk v0.18.2 requires glib = "^0.18", so glib 0.20.0 cannot be selected while the current Linux Tauri/GTK stack remains in place.

Steps to Reproduce

1. Check the Dependabot alert for this repository.
2. Inspect the transitive dependency path with:

   cargo tree --manifest-path src/crosshook-native/Cargo.toml -i glib

3. Attempt to move to the patched version with:

   cargo update --manifest-path src/crosshook-native/Cargo.toml -p glib --precise 0.20.0 --dry-run

4. Observe that Cargo rejects the update because gtk v0.18.2 requires glib = "^0.18".

Expected Behavior

CrossHook should be able to consume a non-vulnerable glib version, or we should have a clear upgrade path to a Tauri/Linux stack that does.

Actual Behavior

The repository is currently blocked on an upstream Linux desktop dependency chain:

• tauri 2.10.3 is already current in this environment.
• The Linux GTK stack still resolves to gtk 0.18.2 / glib 0.18.x.
• The Dependabot alert remains open because the patched glib 0.20.0 line is incompatible with the current transitive constraints.

Game & Trainer Details

N/A

Logs / Screenshots

$ cargo tree --manifest-path src/crosshook-native/Cargo.toml -i glib
glib v0.18.5
└── gtk v0.18.2
    └── tauri v2.10.3
        └── crosshook-native src-tauri

$ cargo update --manifest-path src/crosshook-native/Cargo.toml -p glib --precise 0.20.0 --dry-run
error: failed to select a version for the requirement `glib = "^0.18"`
candidate versions found which didn't match: 0.20.0
required by package `gtk v0.18.2`
... which satisfies dependency `gtk = "^0.18"` of package `tauri v2.10.3`

Suggested Follow-up

• Track upstream Tauri/Linux GTK dependency updates that move off gtk 0.18 / glib 0.18.
• Re-evaluate when a newer Tauri/Wry/Linux stack can resolve to glib >= 0.20.0.
• If upstream remains blocked, assess whether a temporary fork/patch strategy is acceptable for this project.

Storage strategy

• No new persisted app data is expected for this tracking bug. Any eventual mitigation should avoid introducing new settings or metadata unless an upstream workaround genuinely requires it.
• Runtime-only analysis such as dependency inspection, build verification, or alert triage should remain ephemeral rather than becoming app-managed state.

Persistence & usability

• No migration or backward-compatibility work should be required while this remains an upstream dependency-chain tracking issue.
• If a temporary mitigation is ever needed, it should not rewrite user profiles, settings, or metadata DB contents.

Code maintainability

• Keep any eventual workaround isolated to build/dependency-management surfaces rather than scattering version checks throughout runtime code.
• Prefer one clearly owned dependency policy path over per-platform or per-feature exceptions.
• If supporting code is needed, keep modules focused and split early rather than growing a mixed-responsibility file past the 400-500 line range.

Dependencies / Blockers

• Blocked by upstream movement in the Tauri/GTK/Linux dependency chain so glib >= 0.20.0 becomes selectable.
• Track the Dependabot alert and upstream release notes rather than creating CrossHook-only forks by default.

Scope boundaries / Non-goals

• This issue is not a mandate to add runtime fallbacks, Linux-only behavior forks, or unrelated packaging changes.
• Do not treat a temporary fork as the default plan unless upstream is demonstrably stalled and the maintenance cost is accepted explicitly.

[yandy-r]

Upstream status check (2026-06-05)

Re-verified locally: CrossHook still resolves glib v0.18.5 via gtk v0.18.2 → tauri v2.11.2. A direct cargo update -p glib --precise 0.20.0 --dry-run still fails because gtk 0.18.2 requires glib = "^0.18".

This issue remains blocked upstream — not solved by the Tauri 2.11.x bump.

Advisory fix at the source

The unsoundness (RUSTSEC-2024-0429 / GHSA-wrw7-89jp-8q8g) was patched in glib >= 0.20.0 via gtk-rs/gtk-rs-core#1343 (merged 2024-03-30).

There is no gtk3-rs backport path: gtk 0.18.2 is the latest gtk3 binding and is marked unmaintained on crates.io.

Upstream tracking (Tauri ecosystem)

Tauri opened coordinated tracking issues in Jan 2025, explicitly tied to this advisory. The planned fix is a GTK4 + WebKitGTK6 migration, not a glib bump within the gtk3 stack:

Issue	Repo	Purpose
tauri#12563	tauri	Upgrade tauri to gtk4-rs
tauri#12562	tauri	Upgrade tauri-runtime to gtk4-rs
tauri#12561	tauri	Upgrade tauri-runtime-wry to gtk4-rs
tauri#12564	tauri	Reach out to gtk-rs about glib upgrade
wry#1474	wry	Upgrade wry to gtk4-rs + webkit6
javascriptcore-rs#84	javascriptcore-rs	Security advisory on glib dependency
muda#259	muda	Upgrade to gtk-4

In-progress PRs (WIP, not merged)

PR	Repo	Status
wry#1530	wry	Draft — port to WebKitGTK6 (depends on tao#1104)
tao#1104	tao	Draft — port to gtk4-rs
muda#341	muda	Open — gtk4 feature work

On wry#1474, a Tauri maintainer noted (Apr 2026) that no real working-group progress had landed yet; the linked community PRs above are the relevant active work.

Recommendation for this issue

Keep open as status:blocked. Re-evaluate when a Tauri release ships with gtk4-rs / webkit6 (resolving glib >= 0.20.0). Primary upstream signals to watch:

1. tauri#12563
2. wry#1474
3. wry#1530 + tao#1104

[yandy-r]

Moved to Forgejo: https://git.home.rfamily.dev/yandy/crosshook/issues/1

This GitHub issue is closed because CrossHook issue and PR tracking has moved to the Forgejo remote. The original GitHub issue is retained for history.