Describe the dependency issue
localtunnel@2.0.2 is declared in apps/desktop/package.json:30 and spawned via pnpm lt from apps/desktop/src-tauri/src/tunnel.rs:101-169. Issues:
- The package has had no release since 2022 — it is effectively abandonware and its transitive
axios has open CVEs.
- It is under
dependencies (not devDependencies), even though it is a Node-only runtime and never executes in the browser. Next.js still tries to resolve it for the client bundle and emits warnings about missing net/tls/http polyfills.
- The tunnel has no authentication and no TLS.
Proposed change:
Evaluate replacing localtunnel with a maintained alternative (cloudflared, ngrok with token, or a Rust crate such as tunneler). Move the dependency out of the browser bundle either way.
Would you like to submit a PR for this dependency update?
Maybe
Describe the dependency issue
localtunnel@2.0.2is declared inapps/desktop/package.json:30and spawned viapnpm ltfromapps/desktop/src-tauri/src/tunnel.rs:101-169. Issues:axioshas open CVEs.dependencies(notdevDependencies), even though it is a Node-only runtime and never executes in the browser. Next.js still tries to resolve it for the client bundle and emits warnings about missingnet/tls/httppolyfills.Proposed change:
Evaluate replacing
localtunnelwith a maintained alternative (cloudflared, ngrok with token, or a Rust crate such astunneler). Move the dependency out of the browser bundle either way.Would you like to submit a PR for this dependency update?
Maybe