Report security issues privately via GitHub Security Advisories. Do not open public issues for security vulnerabilities.
The following cargo audit advisories are present but have been assessed as not exploitable in Markhere's threat model. They are documented here so reviewers can distinguish "accepted risk" from "overlooked finding".
- Dependency chain:
markhere→printpdf 0.7→lopdf 0.31 - Vulnerable function:
lopdf::Document::load_memand relatedload*entry points (PDF parser) - Fix version: lopdf 0.42.0
- Why not upgraded:
printpdf 0.9.1(latest) still pinslopdf ^0.39.0; lopdf 0.42.0 is API-incompatible with every released printpdf version. No upstream path exists. - Markhere exposure:
export_to_pdfinsrc-tauri/src/lib.rsonly writes PDFs viaprintpdf::PdfDocument. Markhere never callslopdf::Document::load_memor anyload*function. The vulnerable code path is unreachable. - Attack vector required: opening a crafted ~21 KB PDF file. Markhere does not accept PDF files as input — it only exports Markdown to PDF.
- Decision: Accepted — code path unreachable, no user-facing PDF parsing surface.
- Dependency chain:
markhere→tauri→gtk3-rs(atk/gdk/gtk/glib/gtk3-macros +-sysvariants) - Platform: Linux only (GTK3 is the Linux windowing backend for Tauri 2.x)
- Why not upgraded: Tauri 2.x does not yet support GTK4 on Linux. Migration requires a Tauri upstream release.
- Markhere exposure: these are "unmaintained" informational advisories — no known exploitable vulnerability, just no upstream maintenance.
- Decision: Accepted — blocked on Tauri upstream. Tracked in
FUTURE_ROADMAP.mdP0 security section.
- Dependency chain: same as gtk-rs above
- Fix version: glib 0.20.0 (requires gtk-rs major version bump)
- Markhere exposure: same as above — Linux-only, Tauri upstream dependency.
- Decision: Accepted — blocked on Tauri upstream.
- Dependency chain:
markhere→tauri→gtk3-rs→glib-macros/gtk3-macros→proc-macro-error - Markhere exposure: informational only, no exploitable vulnerability. Build-time only.
- Decision: Accepted — blocked on gtk-rs upstream.
- Dependency chain:
markhere→tauri→tauri-utils→urlpattern 0.3→unic-ucd-ident→unic-* - Markhere exposure: informational only, no exploitable vulnerability.
- Decision: Accepted — blocked on Tauri upstream (urlpattern).
cargo audit runs in the Build workflow (.github/workflows/build.yml) with continue-on-error: true — it reports findings but does not block builds. This is intentional: all current findings are either accepted (see above) or blocked on upstream.
The following security improvements are tracked in FUTURE_ROADMAP.md P0:
- CSP
unsafe-evalremoval (hash-fence Mermaid/KaTeX inline scripts) - Plugin sandbox (current
PluginLoaderusesnew Function()— no isolation) -
npm audit/cargo auditfailure threshold (once upstream blockers resolve) -
safeInvokefull coverage on all Tauri IPC calls
