fix(linux): exclude bundled NSS libs so AppImage launches on Arch / rolling distros

[senamakel]

Summary

Submodule bump for app/src-tauri/vendor/tauri-cef to pick up tinyhumansai/tauri-cef#15, which extends the AppImage bundler's exclude list (introduced in #1996 for glibc) to also drop the bundled NSS/NSPR family.

Fixes #2001 ([Bug] AppImage launch failure on Arch Linux/Hyprland: NSS version mismatch ...).

Why

Chromium/CEF inside the AppImage dlopen()s the host's /usr/lib/libsoftokn3.so for PKCS#11. On rolling distros the host's libsoftokn3 requires symbols only present in newer NSS (e.g. NSSUTIL_3.108), but LD_LIBRARY_PATH resolves libnssutil3 from the older bundled \$APPDIR/shared/lib first — the loader aborts the process before any window appears:

.../shared/lib/libnssutil3.so: version `NSSUTIL_3.108' not found
   (required by /usr/lib/libsoftokn3.so)
[FATAL:crypto/nss_util.cc:146] nss_error=-5925

The downstream X11 BadWindow / GPU errors in the bug report are symptoms of this fatal crypto-init crash — the process never reaches a coherent state, so window setup fails next.

Verification (reproduced in archlinux:latest Docker)

Library	Bundled in v0.53.43 AppImage	Host (Arch today)	Required by host libsoftokn3.so
libnssutil3.so defines up to	NSSUTIL_3.94	NSSUTIL_3.117	NSSUTIL_3.108 ❌

Direct dlopen(\"/usr/lib/libsoftokn3.so\") succeeds on a clean Arch container but fails the moment the AppImage's shared/lib is prepended to LD_LIBRARY_PATH — exactly matching the reporter's traceback.

Change

This PR contains a single submodule bump:

-Subproject commit f9213d5a6f338004d5e599ac49b8ca87336c5e1c
+Subproject commit e22ec719034fdac3994c42a3c040fafa10672219

All code lives in tinyhumansai/tauri-cef#15.

Test plan

• cargo check -p tauri-bundler passes against the new submodule revision locally
• CI Linux build produces an AppImage with no libnss*/libnssutil*/libsoftokn3*/libfreebl*/libnspr4*/libplc4*/libplds4*/libssl3*/libsmime3* under \$APPDIR/shared/lib
• Run the resulting AppImage in archlinux:latest: chromium crypto init must not abort with NSSUTIL_3.108 not found
• Smoke-test the AppImage on Ubuntu 22.04 / 24.04 to confirm host NSS is found and the app launches normally
• Manual launch on Arch + Hyprland to confirm the reporter's environment now boots past the crypto stage (the X11 BadWindow / GPU items in [Bug] AppImage launch failure on Arch Linux/Hyprland: NSS version mismatch and X11 BadWindow errors #2001 are separate display-side concerns — see issue follow-ups)

Refs tinyhumansai/tauri-cef#15
Refs #1996 (glibc-family precedent)

Summary by CodeRabbit

• Chores
  • Updated vendored dependencies.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ce36abc6-6131-4669-9b01-ee4ce3de7d1b

📥 Commits

Reviewing files that changed from the base of the PR and between c99d1eb and 0aba686.

📒 Files selected for processing (1)

• app/src-tauri/vendor/tauri-cef

---

📝 Walkthrough

Walkthrough

This PR updates the vendored tauri-cef submodule to a newer commit, advancing the CEF (Chromium Embedded Framework) dependency within the Tauri application framework.

Changes

CEF Vendored Submodule Update

Layer / File(s)	Summary
Tauri CEF submodule version update app/src-tauri/vendor/tauri-cef	The vendored tauri-cef submodule commit reference is advanced from f9213d5a to e22ec719 to incorporate upstream CEF improvements.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• tinyhumansai/openhuman#1996: Updates the same app/src-tauri/vendor/tauri-cef submodule pointer to a different commit, representing another upstream CEF version advancement.

Poem

🐰 A whisker-twitch and a bound so bright,
CEF's freshened up with improved delight,
From one commit hash to the next we leap,
Better rendering for dreams that run deep! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly describes the main change: excluding bundled NSS libs to fix AppImage launches on Arch/rolling distros, which directly aligns with the submodule bump.
Linked Issues check	✅ Passed	The PR implements the primary objective from #2001: excluding bundled NSS/NSPR libraries to resolve the NSSUTIL_3.108 version mismatch that prevented AppImage startup on rolling distros.
Out of Scope Changes check	✅ Passed	The PR contains only a targeted submodule bump to pick up the upstream fix for NSS library exclusion, with no extraneous changes beyond the stated objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}