build(deps): bump rustls-webpki from 0.103.9 to 0.103.10 in /platforms/tauri in the cargo group across 1 directory

[dependabot]

Bumps the cargo group with 1 update in the /platforms/tauri directory: rustls-webpki.

Updates rustls-webpki from 0.103.9 to 0.103.10

Release notes

Sourced from rustls-webpki's releases.

0.103.10

Correct selection of candidate CRLs by Distribution Point and Issuing Distribution Point. If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored.

The impact was that correct provided CRLs would not be consulted to check revocation. With UnknownStatusPolicy::Deny (the default) this would lead to incorrect but safe Error::UnknownRevocationStatus. With UnknownStatusPolicy::Allow this would lead to inappropriate acceptance of revoked certificates.

This vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)

More likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.

This vulnerability is identified by GHSA-pwjx-qhcg-rvj4. Thank you to @​1seal for the report.

What's Changed

• Freshen up rel-0.103 by @​ctz in rustls/webpki#455
• Prepare 0.103.10 by @​ctz in rustls/webpki#458

Full Changelog: rustls/webpki@v/0.103.9...v/0.103.10

Commits

• 348ce01 Prepare 0.103.10
• dbde592 crl: fix authoritative_for() support for multiple URIs
• 9c4838e avoid std::prelude imports
• 009ef66 fix rust 1.94 ambiguous panic macro warnings
• c41360d build(deps): bump taiki-e/cache-cargo-install-action from 2 to 3
• e401d00 generate.py: reformat for black 2026.1.0
• 06cedec Take semver-compatible deps
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

PR Analysis 📊

Changed Files Summary:

• JavaScript/TypeScript files: 0
• Test files: 0
• Documentation files: 0
• Configuration files: 0

CI Status: Running automated checks...

[github-actions]

Quick Checks Results

Check	Status
ESLint	✅
TypeScript	✅

✅ All quick checks passed!

[github-actions]

Build Status ✅ Build successful

✅ Build completed successfully!

[github-actions]

🔒 Security Audit Results

✅ Secret Scanning: No secrets detected
⚠️ Environment Config: Missing variables
❌ NPM Audit: Critical/High vulnerabilities
✅ Secret Patterns: None detected

---

📊 View full results: Security Audit Summary
⏱️ Duration: < 2 minutes

[github-actions]

Dependency Audit Results

# npm audit report

@hono/node-server  <1.19.10
Severity: high
@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware - https://github.com/advisories/GHSA-wc8c-qw6v-h7f6
fix available via `npm audit fix --force`
Will install prisma@6.19.2, which is a breaking change
node_modules/@hono/node-server
  @prisma/dev  <=0.22.0
  Depends on vulnerable versions of @hono/node-server
  node_modules/@prisma/dev
    prisma  >=6.13.0-dev.1
    Depends on vulnerable versions of @prisma/config
    Depends on vulnerable versions of @prisma/dev
    node_modules/prisma

basic-ftp  <5.2.0
Severity: critical
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method - https://github.com/advisories/GHSA-5rq4-664w-9x2c
fix available via `npm audit fix`
node_modules/basic-ftp

dompurify  3.1.3 - 3.3.1
Severity: moderate
DOMPurify contains a Cross-site Scripting vulnerability - https://github.com/advisories/GHSA-v2wj-7wpq-c8vv
fix available via `npm audit fix --force`
Will install monaco-editor@0.53.0, which is a breaking change
node_modules/dompurify
  monaco-editor  >=0.54.0-dev-20250909
  Depends on vulnerable versions of dompurify
  node_modules/monaco-editor

effect  <3.20.0
Severity: high
Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC - https://github.com/advisories/GHSA-38f7-945m-qr2g
fix available via `npm audit fix --force`
Will install prisma@6.19.2, which is a breaking change
node_modules/effect
  @prisma/config  >=6.13.0-dev.1
  Depends on vulnerable versions of effect
  node_modules/@prisma/config

express-rate-limit  8.2.0 - 8.2.1
Severity: high
express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network - https://github.com/advisories/GHSA-46wh-pxpv-q5gq
fix available via `npm audit fix`
node_modules/express-rate-limit

fast-xml-parser  4.0.0-beta.3 - 5.5.6
Severity: high
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder - https://github.com/advisories/GHSA-fj3w-jwp8-x2g3
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser - https://github.com/advisories/GHSA-jp2q-39xq-3w4g
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) - https://github.com/advisories/GHSA-8gc5-j5rx-235r
fix available via `npm audit fix`
node_modules/fast-xml-parser
  @aws-sdk/xml-builder  3.894.0 - 3.972.8
  Depends on vulnerable versions of fast-xml-parser
  node_modules/@aws-sdk/xml-builder

flatted  <=3.4.1
Severity: high
flatted vulnerable to unbounded recursion DoS in parse() revive phase - https://github.com/advisories/GHSA-25h7-pfq9-p65f
Prototype Pollution via parse() in NodeJS flatted - https://github.com/advisories/GHSA-rf6f-7fwh-wjgh
fix available via `npm audit fix`
node_modules/flatted

hono  <=4.12.6
Severity: high
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo - https://github.com/advisories/GHSA-xh87-mx6m-69f3
Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie() - https://github.com/advisories/GHSA-5pq2-9x2x-5p6w
Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE() - https://github.com/advisories/GHSA-p6xx-57qc-3wxr
Hono vulnerable to arbitrary file access via serveStatic vulnerability  - https://github.com/advisories/GHSA-q5qw-h33p-qvwr
Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true }) - https://github.com/advisories/GHSA-v8w9-8mx6-g223
fix available via `npm audit fix`
node_modules/hono

next  16.0.0-beta.0 - 16.1.6
Severity: moderate
Next.js: HTTP request smuggling in rewrites - https://github.com/advisories/GHSA-ggv3-7p47-pfv8
Next.js: Unbounded next/image disk cache growth can exhaust storage - https://github.com/advisories/GHSA-3x4c-7xq6-9pq8
Next.js: Unbounded postponed resume buffering can lead to DoS - https://github.com/advisories/GHSA-h27x-g6w4-24gq
Next.js: null origin can bypass Server Actions CSRF checks - https://github.com/advisories/GHSA-mq59-m269-xvcx
Next.js: null origin can bypass dev HMR websocket CSRF checks - https://github.com/advisories/GHSA-jcc7-9wpm-mj36
fix available via `npm audit fix --force`
Will install next@16.2.1, which is outside the stated dependency range
node_modules/next

serialize-javascript  <=7.0.2
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
fix available via `npm audit fix --force`
Will install terser-webpack-plugin@5.4.0, which is outside the stated dependency range
node_modules/serialize-javascript
  terser-webpack-plugin  <=5.3.16
  Depends on vulnerable versions of serialize-javascript
  node_modules/terser-webpack-plugin

simple-git  3.15.0 - 3.32.2
Severity: critical
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE - https://github.com/advisories/GHSA-r275-fr43-pm7q
fix available via `npm audit fix --force`
Will install @datadog/datadog-ci@5.9.1, which is outside the stated dependency range
node_modules/simple-git
  @datadog/datadog-ci-base  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-base
    @datadog/datadog-ci  3.21.1 - 5.9.0
    Depends on vulnerable versions of @datadog/datadog-ci-base
    Depends on vulnerable versions of @datadog/datadog-ci-plugin-coverage
    Depends on vulnerable versions of @datadog/datadog-ci-plugin-deployment
    Depends on vulnerable versions of @datadog/datadog-ci-plugin-dora
    Depends on vulnerable versions of @datadog/datadog-ci-plugin-sarif
    Depends on vulnerable versions of @datadog/datadog-ci-plugin-sbom
    node_modules/@datadog/datadog-ci
  @datadog/datadog-ci-plugin-coverage  5.3.0 - 5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-coverage
  @datadog/datadog-ci-plugin-deployment  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-deployment
  @datadog/datadog-ci-plugin-dora  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-dora
  @datadog/datadog-ci-plugin-sarif  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-sarif
  @datadog/datadog-ci-plugin-sbom  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-sbom

socket.io-parser  4.0.0 - 4.2.5
Severity: high
socket.io allows an unbounded number of binary attachments - https://github.com/advisories/GHSA-677m-j7p3-52f9
fix available via `npm audit fix`
node_modules/socket.io-parser

undici  7.0.0 - 7.23.0
Severity: high
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client - https://github.com/advisories/GHSA-f269-vfmq-vjvj
Undici has an HTTP Request/Response Smuggling issue - https://github.com/advisories/GHSA-2mjp-6q6p-2qxm
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression - https://github.com/advisories/GHSA-vrm6-8vpv-qv8q
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation - https://github.com/advisories/GHSA-v9p9-hfj2-hcw8
Undici has CRLF Injection in undici via `upgrade` option - https://github.com/advisories/GHSA-4992-7rv2-5pvq
Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS - https://github.com/advisories/GHSA-phc3-fgpg-7m6h
fix available via `npm audit fix`
node_modules/undici

26 vulnerabilities (1 low, 3 moderate, 13 high, 9 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[github-actions]

Test Results ✅ Passed

Test Suites: 57 failed, 5 skipped, 488 passed, 545 of 550 total
Tests: 380 failed, 104 skipped, 30 todo, 10665 passed, 11179 total

✅ All tests passed! Ready for review.

View test output

Check the Actions tab for detailed test output.

[github-actions]

PR Status Summary

Check	Status
Quick Checks	✅ Passed
Tests	✅ Passed
Build	✅ Passed

✅ All checks passed! This PR is ready to merge. 🎉