Skip to content

Commit a8986d2

Browse files
committed
Refactor random byte generation in encryption commands and database encryption
- Updated `encrypt_bytes` function to use `OsRng.gen()` for generating salt and nonce. - Simplified `generate_salt` and `generate_nonce` functions in `db_encryption.rs` to utilize `OsRng.gen()`. - Updated dependencies in `package-lock.json` for `qs` and `tmp` packages to their latest versions.
1 parent 385d519 commit a8986d2

8 files changed

Lines changed: 297 additions & 274 deletions

File tree

.github/workflows/ci.yml

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,10 +7,17 @@ on:
77
branches: [master, main, dev]
88
workflow_dispatch:
99

10+
permissions:
11+
contents: read
12+
actions: write
13+
1014
jobs:
1115
frontend:
1216
name: Frontend lint, typecheck & unit tests
1317
runs-on: ubuntu-latest
18+
permissions:
19+
contents: read
20+
actions: write
1421
steps:
1522
- uses: actions/checkout@v4
1623

@@ -35,6 +42,9 @@ jobs:
3542
rust:
3643
name: Rust check & test
3744
runs-on: ubuntu-latest
45+
permissions:
46+
contents: read
47+
actions: write
3848
steps:
3949
- uses: actions/checkout@v4
4050

@@ -69,6 +79,9 @@ jobs:
6979
tauri-build:
7080
name: Tauri build smoke test
7181
runs-on: ubuntu-latest
82+
permissions:
83+
contents: read
84+
actions: write
7285
steps:
7386
- uses: actions/checkout@v4
7487

@@ -109,6 +122,9 @@ jobs:
109122
offline-critical-journeys:
110123
name: Offline critical journey tests
111124
runs-on: ubuntu-latest
125+
permissions:
126+
contents: read
127+
actions: write
112128
needs: [frontend, rust]
113129
steps:
114130
- uses: actions/checkout@v4
@@ -148,6 +164,9 @@ jobs:
148164
migration-rehearsal:
149165
name: 1.x → 2.0 migration rehearsal
150166
runs-on: ubuntu-latest
167+
permissions:
168+
contents: read
169+
actions: write
151170
needs: [rust]
152171
steps:
153172
- uses: actions/checkout@v4

CHANGELOG.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,14 @@ Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
7676
- **Database encryption disable flow** — fixed a bug where disabling encryption and restarting could corrupt or overwrite the latest plaintext with a stale encrypted backup. Disabling now preserves the current runtime plaintext and removes encrypted artifacts after verifying the plaintext is valid.
7777
- **Database open retry on restart** — added a short retry loop when opening the profile database during startup to avoid "localhost refused connection" / startup failures caused by Windows file-lock races after `app.restart()`.
7878

79+
### Security
80+
81+
- **Resolved npm audit findings** — updated `esbuild` to `^0.28.1` and `react-router-dom` to `^6.30.4` to address GHSA-gv7w-rqvm-qjhr, GHSA-g7r4-m6w7-qqqr, and GHSA-2j2x-hqr9-3h42.
82+
- **Updated VS Code extension dependencies** — ran `npm audit fix` in `vscode-extension/` to resolve `tmp` (GHSA-ph9p-34f9-6g65) and `qs` (GHSA-q8mj-m7cp-5q26) alerts.
83+
- **Updated Rust transitive dependencies** — ran `cargo update` to pull in latest compatible versions of 46 crates, including `hyper`, `reqwest`, `rustls-native-certs`, `tao`, `zbus`, and `zerocopy`.
84+
- **CodeQL: hard-coded cryptographic value** — refactored salt/nonce generation in `src-tauri/src/db_encryption.rs` and `src-tauri/src/commands/data_reliability_cmd.rs` to use `OsRng.gen()` instead of zero-initialized arrays, eliminating false-positive hard-coded crypto alerts.
85+
- **CodeQL: workflow permissions** — added explicit `permissions: { contents: read, actions: write }` at workflow and job level in `.github/workflows/ci.yml`.
86+
7987
## [1.4.4] - 2026-06-06
8088

8189
### Added

0 commit comments

Comments
 (0)