Security updates are provided for the latest stable release.
| Version | Supported |
|---|---|
| 1.5.x (current: 1.5.3) | Yes |
| 1.4.x | No |
| < 1.4.0 | No |
Please do not open public issues for potential security vulnerabilities.
Instead:
- Use GitHub's private vulnerability reporting if available.
- Alternatively, share details privately with maintainers via email or a direct message.
- Include reproduction steps, impact, and affected versions.
- If possible, include a minimal proof of concept.
Suggested report template:
- Title: short summary of the issue
- Affected area: frontend, Tauri command, shell contract, or dependency
- Impact: what an attacker can do
- Reproduction: exact steps and environment
- Proposed mitigation: optional
- Initial acknowledgement target: within 72 hours
- Triage and severity assessment: as soon as possible
- Fix timeline: depends on severity and release readiness
- Vulnerabilities are fixed privately first.
- Public disclosure is coordinated after a patch is available.
- If needed, release notes will include impact and upgrade guidance.
Items below are tracked and documented for transparency. Where the runtime path was reachable, the underlying dependency has been bumped; where the path is build-only or unreachable, the alert is dismissed in Dependabot as not_used and is expected to close automatically once the upstream Tauri 2.x ecosystem refreshes the affected dependency chains.
- RUSTSEC-2026-0097 —
randunsoundness with a custom logger callingrand::rng()(low). LumaSync depends onrandalong three independent paths and treats them separately:rand0.8.x (runtime, viatauri-plugin-notification) andrand0.9.x (runtime, viaxcap) were bumped to 0.8.6 and 0.9.4 respectively in v1.5.1, clearing the runtime exposure.rand0.7.3 (build-only, viatauri-utils → kuchikiki → selectors → phf_generator) remains in the build graph but is unreachable from any shipped binary; LumaSync neither customizes the logger nor invokesrand::rng()along this chain, so the alert is dismissednot_useduntil the upstream ecosystem refreshesphfminor versions.
- RUSTSEC-2024-0429 —
glib0.18.5 unsoundness inIterator/DoubleEndedIteratorimpls forglib::VariantStrIter(medium). Reaches LumaSync only on Linux throughtauri → tray-icon → libappindicator → gtk-rs 0.18. LumaSync never constructs nor iterates aVariantStrIter(directly or via any code path it owns), so the affected impls are not exercised. Dismissednot_used; will close once Tauri 2.x migrates togtk-rs0.19+ /glib0.20 — tracked for the v1.6 milestone.