security: 20 CVE advisories in Cargo.lock (bridge triage, Track E)

[hyperpolymath]

panic-attack estate sweep — Track E bridge triage

panic-attack bridge triage (RustSec advisory DB, with reachability analysis) found 20 CVE/advisory findings in this repo's Cargo.lock (out of 844 total dependencies; 20 vulnerable).

Severity: medium: 20
Reachability: phantom: 18, reachable: 2
Classification: informational: 18, unmitigable: 2

Each finding includes a recommended action (often Remove unused dependency for phantom-imported crates). Reachability phantom = declared in Cargo.toml but never imported in any .rs file — removing the dep eliminates the CVE entirely with no behavioural change.

Estate tracker: hyperpolymath/panic-attack#32.

Findings

full advisory list

RUSTSEC-2024-0413  atk@0.18.2  medium  reach=phantom  class=informational  fix=
RUSTSEC-2024-0416  atk-sys@0.18.2  medium  reach=phantom  class=informational  fix=
RUSTSEC-2025-0141  bincode@1.3.3  medium  reach=phantom  class=informational  fix=
RUSTSEC-2026-0105  core2@0.4.0  medium  reach=phantom  class=informational  fix=
RUSTSEC-2025-0057  fxhash@0.2.1  medium  reach=phantom  class=informational  fix=
RUSTSEC-2024-0412  gdk@0.18.2  medium  reach=phantom  class=informational  fix=
RUSTSEC-2024-0418  gdk-sys@0.18.2  medium  reach=phantom  class=informational  fix=
RUSTSEC-2024-0411  gdkwayland-sys@0.18.2  medium  reach=phantom  class=informational  fix=
RUSTSEC-2024-0414  gdkx11-sys@0.18.2  medium  reach=phantom  class=informational  fix=
GHSA-wrw7-89jp-8q8g  glib@0.18.5  medium  reach=phantom  class=informational  fix=
RUSTSEC-2024-0429  glib@0.18.5  medium  reach=phantom  class=informational  fix=
RUSTSEC-2024-0415  gtk@0.18.2  medium  reach=phantom  class=informational  fix=
RUSTSEC-2024-0420  gtk-sys@0.18.2  medium  reach=phantom  class=informational  fix=
RUSTSEC-2024-0419  gtk3-macros@0.18.2  medium  reach=phantom  class=informational  fix=
RUSTSEC-2023-0019  kuchiki@0.8.1  medium  reach=phantom  class=informational  fix=
GHSA-phqj-4mhp-q6mq  openssl@0.10.79  medium  reach=phantom  class=informational  fix=
RUSTSEC-2024-0436  paste@1.0.15  medium  reach=phantom  class=informational  fix=
RUSTSEC-2024-0370  proc-macro-error@1.0.4  medium  reach=phantom  class=informational  fix=
GHSA-cq8v-f236-94qc  rand@0.7.3  medium  reach=reachable  class=unmitigable  fix=
RUSTSEC-2026-0097  rand@0.7.3  medium  reach=reachable  class=unmitigable  fix=

---

🤖 Discovered during the panic-attack estate sweep (2026-05-26) — Track E (bridge triage). See hyperpolymath/panic-attack#32 for campaign tracker.

[hyperpolymath]

Triage (2026-05-27) — Cohort E-2 (Dioxus/GTK transitive)

This repo's advisories are NOT phantom-strippable in the mechanical sense — they're transitive via two direct deps declared in our Cargo.toml:

• dioxus = "0.7" (with desktop feature) → dioxus-desktop@0.7.9 → wry@0.53.5 → GTK/webkit2gtk family + supporting macro crates
• printpdf = "0.9" → kuchiki@0.8.1 + cssparser 0.27.2 chain → rand@0.7.3 (via phf_codegen build-time)

Informational (reach=phantom, declared-but-unused via parent; awaiting Cohort E-2 bridge rule):

• RUSTSEC-2024-0413 in atk@0.18.2 (parent: dioxus-desktop→wry→gtk)
• RUSTSEC-2024-0416 in atk-sys@0.18.2 (parent: dioxus-desktop→wry→gtk)
• RUSTSEC-2024-0412 in gdk@0.18.2 (parent: dioxus-desktop→wry→gtk)
• RUSTSEC-2024-0418 in gdk-sys@0.18.2 (parent: dioxus-desktop→wry→gtk)
• RUSTSEC-2024-0411 in gdkwayland-sys@0.18.2 (parent: dioxus-desktop→wry→gtk)
• RUSTSEC-2024-0414 in gdkx11-sys@0.18.2 (parent: dioxus-desktop→wry→gtk)
• GHSA-wrw7-89jp-8q8g in glib@0.18.5 (parent: dioxus-desktop→wry→gtk)
• RUSTSEC-2024-0429 in glib@0.18.5 (parent: dioxus-desktop→wry→gtk)
• RUSTSEC-2024-0415 in gtk@0.18.2 (parent: dioxus-desktop→wry)
• RUSTSEC-2024-0420 in gtk-sys@0.18.2 (parent: dioxus-desktop→wry→gtk)
• RUSTSEC-2024-0419 in gtk3-macros@0.18.2 (parent: dioxus-desktop→wry→gtk)
• RUSTSEC-2024-0370 in proc-macro-error@1.0.4 (parent: dioxus-desktop→wry→gtk3-macros)
• RUSTSEC-2024-0436 in paste@1.0.15 (parent: dioxus-desktop→wry→gtk3-macros)
• RUSTSEC-2025-0057 in fxhash@0.2.1 (parent: dioxus-desktop→wry/cssparser)
• GHSA-phqj-4mhp-q6mq in openssl@0.10.79 (parent: wry/transitive TLS)
• RUSTSEC-2023-0019 in kuchiki@0.8.1 (parent: printpdf — internal HTML→PDF)
• RUSTSEC-2025-0141 in bincode@1.3.3 (parent: transitive utility)
• RUSTSEC-2026-0105 in core2@0.4.0 (parent: transitive utility)

Reachable via upstream (build-time chain, not runtime):

• GHSA-cq8v-f236-94qc in rand@0.7.3 — reachable via printpdf → kuchiki → phf_codegen (compile-time). Needs PR to printpdf to bump kuchiki or its cssparser/phf_codegen chain.
• RUSTSEC-2026-0097 in rand@0.7.3 — same chain, same upstream fix.

Closure path:

This issue remains OPEN until either:

1. dioxus-desktop releases past wry@0.53.5 with bumped GTK family (track dioxus-desktop + wry) AND printpdf releases without kuchiki (or with kuchiki>0.8.1) — track printpdf;
2. Swap dioxus for non-GTK alternative (slint, gpui, gossamer) AND swap printpdf for kuchiki-free PDF lib (e.g. lopdf alone, pdf-writer); OR
3. panic-attack patch-bridge ships Cohort E-2 classification rule (tracked in patch-bridge: classify Dioxus/GTK transitive advisories as Informational (Cohort E-2) panic-attack#75) and these get re-classified Informational / accepted-risk.

Filing as Cohort E-2 (Dioxus/GTK transitive). 18 informational + 2 reachable (build-time-only).