fix(deps): resolve Dependabot security alerts and update WRAITH-RedOps dependencies#49
Conversation
…s dependencies Security Fixes: - Update sqlx from 0.7 to 0.8 (CVE: Binary Protocol Misinterpretation, medium severity) - Update vite from 4.4.0 to 7.3.1 (CVE: server.fs bypass, low severity x2) WRAITH-RedOps Updates: - Migrate operator-client from Tauri 1.5 to Tauri 2.2 - Migrate operator-client frontend to React 19 + TypeScript 5.9 + Vite 7.3 - Update team-server to Rust 2024 edition with modern dependencies - Update gRPC stack (tonic 0.12, prost 0.13) - Update web framework stack (axum 0.8, tower 0.5, tower-http 0.6) - Apply project-wide formatting standards via cargo fmt - Fix deprecated tonic_build::compile -> compile_protos Resolves: Dependabot alerts #1, #2, #3 Related: PR #48 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Summary of ChangesHello @doublegate, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request focuses on enhancing the security, stability, and modernity of the WRAITH-RedOps project. It addresses critical security alerts by updating key dependencies and performs a substantial upgrade of the operator client's underlying framework to Tauri 2.2. The changes also include a broad refresh of dependencies across both the client and server components, a migration to the latest Rust edition, and a structural refactoring of the client's Rust code for better organization. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
There was a problem hiding this comment.
Pull request overview
This PR addresses three Dependabot security alerts and performs a comprehensive dependency modernization of the WRAITH-RedOps client ecosystem, including a major migration from Tauri 1.5 to Tauri 2.2. The PR updates critical dependencies (sqlx, tonic, prost, axum, tower, thiserror) for the team server and modernizes the operator client's frontend stack (React 18→19, Vite 4→7.3.1, TypeScript 5.0→5.9).
Changes:
- Fixes security vulnerabilities in sqlx (CVE binary protocol misinterpretation) and vite (middleware and fs settings issues)
- Migrates team-server Rust dependencies to their latest versions with Rust 2024 edition
- Migrates operator-client from Tauri 1.5 to Tauri 2.2 with proper library/binary separation
- Updates frontend dependencies to React 19, Vite 7.3.1, and Tailwind CSS 4
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| clients/wraith-redops/team-server/Cargo.toml | Updates dependencies to fix sqlx CVE and align with protocol versions (sqlx 0.8, tonic 0.12, prost 0.13, axum 0.8, tower 0.5, thiserror 2.0) |
| clients/wraith-redops/team-server/src/models/mod.rs | Changes IP address fields from IpNetwork to String with documentation comments, but introduces type mismatch with database INET columns |
| clients/wraith-redops/team-server/src/database/mod.rs | Renames get_pool() to pool() method, adds documentation, improves formatting |
| clients/wraith-redops/team-server/src/services/operator.rs | Formatting improvements with better line wrapping for method signatures and chained calls |
| clients/wraith-redops/team-server/src/services/implant.rs | Formatting improvements consistent with operator.rs |
| clients/wraith-redops/team-server/build.rs | Updates tonic-build API from compile() to compile_protos() for 0.12 compatibility |
| clients/wraith-redops/operator-client/src-tauri/Cargo.toml | Migrates to Tauri 2.2, updates gRPC dependencies, adds library/binary configuration |
| clients/wraith-redops/operator-client/src-tauri/tauri.conf.json | Updates to Tauri 2.x config schema, but references wrong icon paths (wraith-chat instead of local) |
| clients/wraith-redops/operator-client/src-tauri/src/main.rs | Refactors to minimal entry point that applies Linux Wayland workarounds and delegates to library |
| clients/wraith-redops/operator-client/src-tauri/src/lib.rs | New library file containing all application logic, properly documented with module-level docs |
| clients/wraith-redops/operator-client/src-tauri/build.rs | Updates tonic-build API for 0.12 compatibility |
| clients/wraith-redops/operator-client/package.json | Updates to React 19, Vite 7.3.1, TypeScript 5.9, Tailwind CSS 4, and modern Tauri 2.x frontend plugins |
|
@copilot open a new pull request to apply changes based on the comments in this thread |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request primarily focuses on a significant upgrade of the Wraith RedOps Operator Console and Team Server to Tauri v2 and associated Rust dependencies, including React v19 for the frontend. Key changes involve updating package.json and Cargo.toml files across both client and server for new dependency versions (e.g., Tauri, React, Tonic, Prost, SQLx), adopting Rust 2024 edition, and introducing new Tauri plugins for dialog, filesystem, and shell interactions. The Operator Console's Rust backend logic has been refactored into a library (src/lib.rs), simplifying main.rs, and its tauri.conf.json has been updated for Tauri v2 schema, window properties, and detailed bundle metadata. The Team Server also saw dependency updates, including SQLx 0.8 to address a CVE, and minor code formatting improvements. Review comments highlight a concern about the tightly coupled icon paths in tauri.conf.json pointing to a sibling project and a warning regarding the change of internal_ip and external_ip fields in the Implant struct from IpNetwork to String, emphasizing the need for careful validation and parsing in application logic.
| pub internal_ip: Option<String>, | ||
| /// External IP address stored as CIDR string (e.g., "203.0.113.50/32") | ||
| pub external_ip: Option<String>, |
There was a problem hiding this comment.
The internal_ip and external_ip fields in the Implant struct have been changed from Option<IpNetwork> to Option<String>. While this change is likely due to the sqlx dependency update removing the ipnetwork feature, it shifts the responsibility of IP address validation and parsing from the IpNetwork type to application logic. Ensure that all points where these IP addresses are used (e.g., database insertion, display, network operations) correctly handle the string format and perform necessary validation to prevent invalid IP strings from being stored or processed, which could lead to runtime errors or security issues.
|
@doublegate I've opened a new pull request, #50, to work on those changes. Once the pull request is ready, I'll request review from you. |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Summary
Security Fixes
Dependency Updates
Team Server (Rust)
Operator Client (Tauri)
Testing
Notes
dist/directory is generated during build and not committedgen/directory is excluded from version controlGenerated with Claude Code