宣布 Tauri 1.2.0
Tauri 团队很高兴宣布 1.2.0 版本的发布。它包括一个安全修复,因此我们鼓励新用户和现有用户更新到其中一个修复版本。其他更改已进行了内部审核,没有发现安全问题。
🌐 The Tauri team is happy to announce the 1.2.0 release. It includes a security fix, so we encourage new and existing users to update to one of the fixed versions. Other changes were internally audited and no security issues were found.
确保将 NPM 和 Cargo 的依赖都更新到 1.2.0 版本。你可以使用以下命令更新依赖:
🌐 Make sure to update both NPM and Cargo dependencies to the 1.2.0 release. You can update the dependencies with:
npm install @tauri-apps/cli@latest @tauri-apps/api@latestyarn upgrade @tauri-apps/cli @tauri-apps/api --latestpnpm update @tauri-apps/cli @tauri-apps/api --latestcargo update🌐 What’s in 1.2.0
🌐 Security patch
本次发布包括由 MessyComposer 报告的安全漏洞修补程序。由于在通过文件对话框和拖放功能选择路径时对特殊字符处理不当,可能会部分绕过 fs 范围定义。无法遍历任意路径,因为问题仅限于已允许路径的相邻文件和子文件夹。成功绕过需要用户在文件选择对话框中选择预先存在的恶意文件或目录,并且攻击者控制的逻辑来访问这些文件。这意味着该问题本身无法被滥用,需要进一步的有意或无意权限。该补丁在 1.0.7 和 1.1.2 中也可用。更多详细信息请查看 安全公告。
🌐 This release includes a patch for a security vulnerability reported by MessyComposer.
Due to incorrect escaping of special characters in paths selected via the file dialog and drag and drop functionality, it was possible to partially bypass the fs scope definition.
It was not possible to traverse into arbitrary paths, as the issue was limited to neighboring files and sub folders of already allowed paths.
A successful bypass requires the user to select a pre-existing malicious file or directory during the file picker dialog and an adversary controlled logic to access these files. This means the issue by itself can not be abused and requires further intentional or unintentional privileges.
The patch is also available in 1.0.7 and 1.1.2. See the advisory for more details.
🌐 Rust version update
此版本包括最低支持的 Rust 版本升级。Tauri 现在至少需要 Rust 1.59 才能编译。由于几个依赖的更新需要这一更改,这是必要的。
🌐 This release includes a minimum supported Rust version bump. Tauri now requires at least Rust 1.59 to compile. This was necessary due to several dependency updates that demanded this change.
🌐 Custom protocol headers on Linux
Linux Webview 绑定已更新,现在在使用 WebKit2GTK 2.36 或更高版本时支持自定义协议头。这解决了在生产环境中手动获取构建资源时的 CORS 问题。
🌐 The Linux webview binding has been updated and it now has support to custom protocol headers when running on webkit2gtk version 2.36 or above. This fixes CORS issues on production when manually fetching a build asset.
🌐 Enhanced titlebar configuration on macOS
我们终于合并了最受期待的一个拉取请求,引入了标题栏样式配置。你的应用现在可以定义透明或覆盖的标题栏,隐藏窗口标题文本,并定义窗口以接受首次鼠标事件,从而在接收到点击事件后可以立即获得焦点以便拖动。
🌐 We finally merged one of the most awaited pull requests, introducing the titlebar style configuration. Your application can now define a transparent or overlay titlebar, hide the window title text and define the window to accept first mouse events so it can be focused immediately after receiving a click event to be dragged.
带覆盖标题栏样式的窗口
带透明标题栏样式的窗口(使用窗口背景颜色)
🌐 Other changes
此版本中有许多较小的更改和错误修复。你可以在以下部分中查看版本说明的摘要。完整的变更日志可以在发布页面找到。
🌐 There are a lot of smaller changes and bug fixes in this release. You can see a summary of the release notes in the following sections. The complete changelog can be found on the releases page.
🌐 New
- 允许在创建窗口时配置用户代理 (#5317)
- 重新实现了创建非聚焦窗口的选项 (#5338)
- 添加了 acceptFirstMouse 窗口选项(macOS)(#5374)
- 添加了 tabbingIdentifier 窗口选项(macOS)(#5399)
- 增强了应用专用目录 API (#5272)
- 在应用模块(macOS)上添加了显示和隐藏方法 (#3689)
- 为 MacOS 托盘暴露 set_title(#5182)
- 前端静态文件的热重载支持 (#5256)
- 为打包包发布者添加一个配置选项 (#5283)
🌐 Enhancements
🌐 Fixes
- 修复自定义协议中的 HTML 模板标签 (#5247)
- 修复在 macOS 上读取资源文件时的范围检查 (#5218)
- 修复 fs/exists 的错误返回类型 (#5252)
- 使用正确的类而不是普通对象来初始化 Monitor 实例的 position 和 size 字段 (#5313)
- 修复 dialog.save 返回类型 (#5373)
- 请使用正确的日语代码 ja-JP,而不是 jp-JP (#5346)
- 在 WiX 的 light.exe 和 candle.exe 命令上清除环境变量,以避免“无法访问 Windows Installer 服务”错误。以 TAURI 为前缀的变量会被保留。(#4819]
- 修复 SystemTray::with_menu_on_left_click 中的回归 (#5235)
- 修复 tauri@1.1 中引入的回归问题,该问题导致在 Windows 上应用退出时无法移除托盘图标 (#5245)
- 修复在 tauri://window-created 事件监听器中访问 WebviewWindow.getByLabel 函数的问题 (#5458)
- 修复在 on_menu_event 闭包中修改菜单时的死锁。(#5257)
- 修复
__TAURI_PATTERN__对象冻结 (#5307)
Tauri 中文网 - 粤ICP备13048890号
Nodejs.cn 旗下网站