Desktop: Update CEF

[timon-schelling]

Depends on #4033

[gemini-code-assist]

Code Review

This pull request updates major dependencies, including wgpu to v28, vello to v0.8, and cef to v146. The Nix configuration is refactored to define graphite-cef as a package, and the rendering pipeline is updated to use immediates instead of push_constants. The CEF integration is also cleaned up by simplifying CefString conversions. Feedback highlights opportunities to remove redundant string allocations, fix a potential bug when joining command-line feature flags, and improve the robustness of the application root path detection.

[gemini-code-assist]

The wrapping of cmd.switch_value in CefString::from(&...) is redundant because switch_value already returns an owned CefString. You can use the returned value directly to avoid an unnecessary clone.

Suggested change

	let process_type = CefString::from(&cmd.switch_value(Some(&"type".into())));
	let process_type = cmd.switch_value(Some(&"type".into()));

[gemini-code-assist]

This path calculation for app_root is brittle as it relies on a fixed directory depth. If the executable is launched from a different location or the bundle structure changes, this will panic. Consider using a more robust method to locate the application resources or handling the None cases more gracefully.

[gemini-code-assist]

The CefString::from(&...) wrapping is redundant here as well. Additionally, if the existing disable-features switch is empty, split(',') will produce an empty string, resulting in a leading comma in the final list. It is better to filter out empty strings before joining.

Suggested change

	let disabled_features: String = CefString::from(&cmd.switch_value(disabled_features_switch))
	.to_string()
	.split(',')
	.chain(extra_disabled_features)
	.collect::<Vec<_>>()
	.join(",");
	cmd.append_switch_with_value(disabled_features_switch, Some(&CefString::from(disabled_features.as_str())));
	cmd.append_switch_with_value(disabled_features_switch, Some(&disabled_features.as_str().into()));
	let disabled_features: String = cmd.switch_value(disabled_features_switch)
	.to_string()
	.split(',')
	.filter(|s| !s.is_empty())
	.chain(extra_disabled_features)
	.collect::<Vec<_>>()
	.join(",");
	cmd.append_switch_with_value(disabled_features_switch, Some(&disabled_features.into()));

[cubic-dev-ai]

1 issue found across 23 files

Confidence score: 2/5

• There is a high-confidence security concern in desktop/src/cef/internal/browser_process_app.rs: enabling no-sandbox unconditionally disables Chromium’s sandbox protections and weakens process isolation at runtime.
• Given the 8/10 severity and direct impact on defense-in-depth, this is higher merge risk than a typical minor fix and should be addressed before merging.
• Pay close attention to desktop/src/cef/internal/browser_process_app.rs - avoid unconditional no-sandbox so sandboxing remains enabled except for explicitly justified cases.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="desktop/src/cef/internal/browser_process_app.rs">

<violation number="1" location="desktop/src/cef/internal/browser_process_app.rs:36">
P1: Avoid enabling `no-sandbox` unconditionally; it disables Chromium's process sandbox and weakens runtime isolation.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[timon-schelling]

!build desktop (Run ID 24908464514)

[github-actions]

📦 Mac Build Complete for 3c04c2b
Download binary

[github-actions]

📦 Linux Build Complete for 3c04c2b
Download binary
Download Flatpak

[github-actions]

📦 Windows Build Complete for 3c04c2b
Download binary