[bug] Tauri's Updater Private Keys Possibly Leaked via Vite Environment Variables

[CodeCraftPlugin]

Describe the bug

First of all i am new to appdev with tauri and i was seting it up using npm i am using my project file settings are javascript-npm-react when runing npm install i get a high severity risk

Reproduction

javascript-npm-react when runing npm install i get a high severity risk

Expected behavior

well get no high severity risk

Full tauri info output

> code@0.0.0 tauri
> tauri info

[✔] Environment
    - OS: Windows 10.0.22631 X64
    ✔ WebView2: 120.0.2210.77
    ✔ MSVC: Visual Studio Build Tools 2022
    ✔ rustc: 1.74.1 (a28077b28 2023-12-04)
    ✔ cargo: 1.74.1 (ecb9851af 2023-10-18)
    ✔ rustup: 1.26.0 (5af9b9484 2023-04-05)
    ✔ Rust toolchain: stable-x86_64-pc-windows-msvc (default)
    - node: 20.7.0
    - npm: 10.2.4

[-] Packages
    - tauri [RUST]: 1.5 (no lockfile)
    - tauri-build [RUST]: no manifest (no lockfile)
    - wry [RUST]: no manifest (no lockfile)
    - tao [RUST]: no manifest (no lockfile)
    - @tauri-apps/api [NPM]: 1.5.3
    - @tauri-apps/cli [NPM]: 1.5.9

[-] App
    - build-type: bundle
    - CSP: unset
    - distDir: ../dist
    - devPath: http://localhost:1420/
    - framework: React
    - bundler: Vite

Stack trace

No response

Additional context

No response

[amrbashir]

So the security CVE mentioned doesn't really involve our code but rather the previously recommended way of exposing TAURI_* environment variables in vite.conf.js. Read more about it here https://github.com/tauri-apps/tauri/security/advisories/GHSA-2rcp-jvr4-r259 and the mitigation required.

The reason why you see the error, even if you updated the CLI to latest version is because we made a mistake when publish the CVE and didn't list that 1.5.6 is considered a fixed version but that should be fixed now.