Skip to content

ci: guard against reachable glib VariantStrIter unsoundness#997

Open
ital0 wants to merge 2 commits into
mainfrom
security/dep-glib
Open

ci: guard against reachable glib VariantStrIter unsoundness#997
ital0 wants to merge 2 commits into
mainfrom
security/dep-glib

Conversation

@ital0

@ital0 ital0 commented Jun 17, 2026
edited by cursor Bot
Loading

Copy link
Copy Markdown
Collaborator

Note

Low Risk
CI-only static check with no application or runtime behavior changes; it reduces risk by catching new callers of an accepted transitive vulnerability.

Overview
Adds a security tripwire for GHSA-wrw7-89jp-8q8g / RUSTSEC-2024-0429 (glib::VariantStrIter unsoundness on Linux). The team accepts the vulnerable glib 0.18.x transitively from Tauri/gtk only while that API stays unreachable.

New script scripts/check-glib-variantstriter.sh resolves the locked Linux src-tauri dependency graph via cargo metadata, then greps src-tauri/src and every registry crate source (excluding the glib crate itself) for array_iter_str or VariantStrIter. It aborts on metadata/jq failures, empty dependency resolution, or grep errors so CI cannot silently pass without scanning.

The rust job in .github/workflows/ci.yml runs this step before the cargo build (metadata + grep only, no compile).

Reviewed by Cursor Bugbot for commit 55a6b80. Bugbot is set up for automated code reviews on this repo. Configure here.

@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown

Semgrep Security Scan

No security issues found.

@github-actions

github-actions Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown

Preview environment deployed 🚀

Service URL
Marketing / blog / docs https://thunderbolt-pr-997.preview.thunderbolt.io
App https://app-pr-997.preview.thunderbolt.io
API https://api-pr-997.preview.thunderbolt.io
Keycloak https://auth-pr-997.preview.thunderbolt.io
PowerSync https://powersync-pr-997.preview.thunderbolt.io

Stack: preview-pr-997 · Commit: 55a6b802837fac266781b1f755553a4c386b0b7b

Auto-destroys on PR close/merge. Login via the bundled Keycloak realm — demo@thunderbolt.io / demo by default.

@github-actions

github-actions Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown

PR Metrics

Metric Value
Lines changed (prod code) +132 / -0
JS bundle size (gzipped) 🟢 682.3 KB → 682.1 KB (-191 B, -0.0%)
Test coverage 🟢 78.09% → 78.09% (+0.0%)
Performance (preview) Preview not ready — Render deploy may have timed out
Accessibility
Best Practices
SEO

Updated Thu, 18 Jun 2026 21:14:53 GMT · run #1950

@ital0 ital0 self-assigned this Jun 18, 2026
@ital0 ital0 marked this pull request as ready for review June 18, 2026 20:57
cursor[bot]
cursor Bot reviewed Jun 18, 2026
View reviewed changes

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 4f6c1ff. Configure here.

Comment thread .github/workflows/ci.yml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@ital0 ital0

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ital0