jank/loadstar
1
0
Fork 0
Code Issues 1 Pull requests 5 Projects Releases Packages Wiki Activity Actions

chore(deps): update rust crate tokio to v1.43.1 [security] #29

Open
Renovate wants to merge 1 commit from renovate/crate-tokio-vulnerability into main
pull from: renovate/crate-tokio-vulnerability
merge into: jank:main
Conversation 0 Commits 1 Files changed 1 +7 -7
Renovate commented 2025-08-21 15:07:02 +00:00
Collaborator
Copy link

This PR contains the following updates:

Package Type Update Change
tokio (source) dependencies minor 1.40.0 -> 1.43.1

Broadcast channel calls clone in parallel, but does not require Sync

GHSA-rr8g-9fpq-6wmg / RUSTSEC-2025-0023

More information

Details

The broadcast channel internally calls clone on the stored value when
receiving it, and only requires T:Send. This means that using the broadcast
channel with values that are Send but not Sync can trigger unsoundness if
the clone implementation makes use of the value being !Sync.

Thank you to Austin Bonander for finding and reporting this issue.

Severity

Unknown

References

This data is provided by OSV and the Rust Advisory Database (CC0 1.0).

Tokio broadcast channel calls clone in parallel, but does not require Sync

GHSA-rr8g-9fpq-6wmg / RUSTSEC-2025-0023

More information

Details

The broadcast channel internally calls clone on the stored value when receiving it, and only requires T:Send. This means that using the broadcast channel with values that are Send but not Sync can trigger unsoundness if the clone implementation makes use of the value being !Sync.

Thank you to Austin Bonander for finding and reporting this issue.

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

tokio-rs/tokio (tokio)

v1.43.1

Compare Source

v1.43.0: Tokio v1.43.0

Compare Source

1.43.0 (Jan 8th, 2025)

Added
  • net: add UdpSocket::peek methods (#​7068)
  • net: add support for Haiku OS (#​7042)
  • process: add Command::into_std() (#​7014)
  • signal: add SignalKind::info on illumos (#​6995)
  • signal: add support for realtime signals on illumos (#​7029)
Fixed
  • io: don't call set_len before initializing vector in Blocking (#​7054)
  • macros: suppress clippy::needless_return in #[tokio::main] (#​6874)
  • runtime: fix thread parking on WebAssembly (#​7041)
Changes
  • chore: use unsync loads for unsync_load (#​7073)
  • io: use Buf::put_bytes in Repeat read impl (#​7055)
  • task: drop the join waker of a task eagerly (#​6986)
Changes to unstable APIs
  • metrics: improve flexibility of H2Histogram Configuration (#​6963)
  • taskdump: add accessor methods for backtrace (#​6975)
Documented
  • io: clarify ReadBuf::uninit allows initialized buffers as well (#​7053)
  • net: fix ambiguity in TcpStream::try_write_vectored docs (#​7067)
  • runtime: fix LocalRuntime doc links (#​7074)
  • sync: extend documentation for watch::Receiver::wait_for (#​7038)
  • sync: fix typos in OnceCell docs (#​7047)

v1.42.1: Tokio v1.42.1

Compare Source

This release fixes a soundness issue in the broadcast channel. The channel accepts values that are Send but !Sync. Previously, the channel called clone() on these values without synchronizing. This release fixes the channel by synchronizing calls to .clone() (Thanks Austin Bonander for finding and reporting the issue).

Fixed
  • sync: synchronize clone() call in broadcast channel (#​7232)

v1.42.0: Tokio v1.42.0

Compare Source

1.42.0 (Dec 3rd, 2024)

Added
  • io: add AsyncFd::{try_io, try_io_mut} (#​6967)
Fixed
  • io: avoid ptr->ref->ptr roundtrip in RegistrationSet (#​6929)
  • runtime: do not defer yield_now inside block_in_place (#​6999)
Changes
  • io: simplify io readiness logic (#​6966)
Documented
  • net: fix docs for tokio::net::unix::{pid_t, gid_t, uid_t} (#​6791)
  • time: fix a typo in Instant docs (#​6982)

v1.41.1: Tokio v1.41.1

Compare Source

1.41.1 (Nov 7th, 2024)

Fixed
  • metrics: fix bug with wrong number of buckets for the histogram (#​6957)
  • net: display net requirement for net::UdpSocket in docs (#​6938)
  • net: fix typo in TcpStream internal comment (#​6944)

v1.41.0: Tokio v1.41.0

Compare Source

1.41.0 (Oct 22th, 2024)

Added
Added (unstable)
  • metrics: add H2 Histogram option to improve histogram granularity (#​6897)
  • metrics: rename some histogram apis (#​6924)
  • runtime: add LocalRuntime (#​6808)
Changed
  • runtime: box futures larger than 16k on release mode (#​6826)
  • sync: add #[must_use] to Notified (#​6828)
  • sync: make watch cooperative (#​6846)
  • sync: make broadcast::Receiver cooperative (#​6870)
  • task: add task size to tracing instrumentation (#​6881)
  • wasm: enable cfg_fs for wasi target (#​6822)
Fixed
  • net: fix regression of abstract socket path in unix socket (#​6838)
Documented
  • io: recommend OwnedFd with AsyncFd (#​6821)
  • io: document cancel safety of AsyncFd methods (#​6890)
  • macros: render more comprehensible documentation for join and try_join (#​6814, #​6841)
  • net: fix swapped examples for TcpSocket::set_nodelay and TcpSocket::nodelay (#​6840)
  • sync: document runtime compatibility (#​6833)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [tokio](https://tokio.rs) ([source](https://github.com/tokio-rs/tokio)) | dependencies | minor | `1.40.0` -> `1.43.1` | --- ### Broadcast channel calls clone in parallel, but does not require `Sync` [GHSA-rr8g-9fpq-6wmg](https://github.com/advisories/GHSA-rr8g-9fpq-6wmg) / [RUSTSEC-2025-0023](https://rustsec.org/advisories/RUSTSEC-2025-0023.html) <details> <summary>More information</summary> #### Details The broadcast channel internally calls `clone` on the stored value when receiving it, and only requires `T:Send`. This means that using the broadcast channel with values that are `Send` but not `Sync` can trigger unsoundness if the `clone` implementation makes use of the value being `!Sync`. Thank you to Austin Bonander for finding and reporting this issue. #### Severity Unknown #### References - [https://crates.io/crates/tokio](https://crates.io/crates/tokio) - [https://rustsec.org/advisories/RUSTSEC-2025-0023.html](https://rustsec.org/advisories/RUSTSEC-2025-0023.html) - [https://github.com/tokio-rs/tokio/pull/7232](https://github.com/tokio-rs/tokio/pull/7232) This data is provided by [OSV](https://osv.dev/vulnerability/RUSTSEC-2025-0023) and the [Rust Advisory Database](https://github.com/RustSec/advisory-db) ([CC0 1.0](https://github.com/rustsec/advisory-db/blob/main/LICENSE.txt)). </details> --- ### Tokio broadcast channel calls clone in parallel, but does not require `Sync` [GHSA-rr8g-9fpq-6wmg](https://github.com/advisories/GHSA-rr8g-9fpq-6wmg) / [RUSTSEC-2025-0023](https://rustsec.org/advisories/RUSTSEC-2025-0023.html) <details> <summary>More information</summary> #### Details The broadcast channel internally calls `clone` on the stored value when receiving it, and only requires `T:Send`. This means that using the broadcast channel with values that are `Send` but not `Sync` can trigger unsoundness if the `clone` implementation makes use of the value being `!Sync`. Thank you to Austin Bonander for finding and reporting this issue. #### Severity - CVSS Score: 2.7 / 10 (Low) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U` #### References - [https://github.com/tokio-rs/tokio/pull/7232](https://github.com/tokio-rs/tokio/pull/7232) - [https://github.com/tokio-rs/tokio](https://github.com/tokio-rs/tokio) - [https://rustsec.org/advisories/RUSTSEC-2025-0023.html](https://rustsec.org/advisories/RUSTSEC-2025-0023.html) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-rr8g-9fpq-6wmg) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>tokio-rs/tokio (tokio)</summary> ### [`v1.43.1`](https://github.com/tokio-rs/tokio/compare/tokio-1.43.0...tokio-1.43.1) [Compare Source](https://github.com/tokio-rs/tokio/compare/tokio-1.43.0...tokio-1.43.1) ### [`v1.43.0`](https://github.com/tokio-rs/tokio/releases/tag/tokio-1.43.0): Tokio v1.43.0 [Compare Source](https://github.com/tokio-rs/tokio/compare/tokio-1.42.1...tokio-1.43.0) ### 1.43.0 (Jan 8th, 2025) ##### Added - net: add `UdpSocket::peek` methods ([#&#8203;7068]) - net: add support for Haiku OS ([#&#8203;7042]) - process: add `Command::into_std()` ([#&#8203;7014]) - signal: add `SignalKind::info` on illumos ([#&#8203;6995]) - signal: add support for realtime signals on illumos ([#&#8203;7029]) ##### Fixed - io: don't call `set_len` before initializing vector in `Blocking` ([#&#8203;7054]) - macros: suppress `clippy::needless_return` in `#[tokio::main]` ([#&#8203;6874]) - runtime: fix thread parking on WebAssembly ([#&#8203;7041]) ##### Changes - chore: use unsync loads for `unsync_load` ([#&#8203;7073]) - io: use `Buf::put_bytes` in `Repeat` read impl ([#&#8203;7055]) - task: drop the join waker of a task eagerly ([#&#8203;6986]) ##### Changes to unstable APIs - metrics: improve flexibility of H2Histogram Configuration ([#&#8203;6963]) - taskdump: add accessor methods for backtrace ([#&#8203;6975]) ##### Documented - io: clarify `ReadBuf::uninit` allows initialized buffers as well ([#&#8203;7053]) - net: fix ambiguity in `TcpStream::try_write_vectored` docs ([#&#8203;7067]) - runtime: fix `LocalRuntime` doc links ([#&#8203;7074]) - sync: extend documentation for `watch::Receiver::wait_for` ([#&#8203;7038]) - sync: fix typos in `OnceCell` docs ([#&#8203;7047]) [#&#8203;6874]: https://github.com/tokio-rs/tokio/pull/6874 [#&#8203;6963]: https://github.com/tokio-rs/tokio/pull/6963 [#&#8203;6975]: https://github.com/tokio-rs/tokio/pull/6975 [#&#8203;6986]: https://github.com/tokio-rs/tokio/pull/6986 [#&#8203;6995]: https://github.com/tokio-rs/tokio/pull/6995 [#&#8203;7014]: https://github.com/tokio-rs/tokio/pull/7014 [#&#8203;7029]: https://github.com/tokio-rs/tokio/pull/7029 [#&#8203;7038]: https://github.com/tokio-rs/tokio/pull/7038 [#&#8203;7041]: https://github.com/tokio-rs/tokio/pull/7041 [#&#8203;7042]: https://github.com/tokio-rs/tokio/pull/7042 [#&#8203;7047]: https://github.com/tokio-rs/tokio/pull/7047 [#&#8203;7053]: https://github.com/tokio-rs/tokio/pull/7053 [#&#8203;7054]: https://github.com/tokio-rs/tokio/pull/7054 [#&#8203;7055]: https://github.com/tokio-rs/tokio/pull/7055 [#&#8203;7067]: https://github.com/tokio-rs/tokio/pull/7067 [#&#8203;7068]: https://github.com/tokio-rs/tokio/pull/7068 [#&#8203;7073]: https://github.com/tokio-rs/tokio/pull/7073 [#&#8203;7074]: https://github.com/tokio-rs/tokio/pull/7074 ### [`v1.42.1`](https://github.com/tokio-rs/tokio/releases/tag/tokio-1.42.1): Tokio v1.42.1 [Compare Source](https://github.com/tokio-rs/tokio/compare/tokio-1.42.0...tokio-1.42.1) This release fixes a soundness issue in the broadcast channel. The channel accepts values that are `Send` but `!Sync`. Previously, the channel called `clone()` on these values without synchronizing. This release fixes the channel by synchronizing calls to `.clone()` (Thanks Austin Bonander for finding and reporting the issue). ##### Fixed - sync: synchronize `clone()` call in broadcast channel ([#&#8203;7232]) [#&#8203;7232]: https://github.com/tokio-rs/tokio/pull/7232 ### [`v1.42.0`](https://github.com/tokio-rs/tokio/releases/tag/tokio-1.42.0): Tokio v1.42.0 [Compare Source](https://github.com/tokio-rs/tokio/compare/tokio-1.41.1...tokio-1.42.0) ### 1.42.0 (Dec 3rd, 2024) ##### Added - io: add `AsyncFd::{try_io, try_io_mut}` ([#&#8203;6967]) ##### Fixed - io: avoid `ptr->ref->ptr` roundtrip in RegistrationSet ([#&#8203;6929]) - runtime: do not defer `yield_now` inside `block_in_place` ([#&#8203;6999]) ##### Changes - io: simplify io readiness logic ([#&#8203;6966]) ##### Documented - net: fix docs for `tokio::net::unix::{pid_t, gid_t, uid_t}` ([#&#8203;6791]) - time: fix a typo in `Instant` docs ([#&#8203;6982]) [#&#8203;6791]: https://github.com/tokio-rs/tokio/pull/6791 [#&#8203;6929]: https://github.com/tokio-rs/tokio/pull/6929 [#&#8203;6966]: https://github.com/tokio-rs/tokio/pull/6966 [#&#8203;6967]: https://github.com/tokio-rs/tokio/pull/6967 [#&#8203;6982]: https://github.com/tokio-rs/tokio/pull/6982 [#&#8203;6999]: https://github.com/tokio-rs/tokio/pull/6999 ### [`v1.41.1`](https://github.com/tokio-rs/tokio/releases/tag/tokio-1.41.1): Tokio v1.41.1 [Compare Source](https://github.com/tokio-rs/tokio/compare/tokio-1.41.0...tokio-1.41.1) ### 1.41.1 (Nov 7th, 2024) ##### Fixed - metrics: fix bug with wrong number of buckets for the histogram ([#&#8203;6957]) - net: display `net` requirement for `net::UdpSocket` in docs ([#&#8203;6938]) - net: fix typo in `TcpStream` internal comment ([#&#8203;6944]) [#&#8203;6957]: https://github.com/tokio-rs/tokio/pull/6957 [#&#8203;6938]: https://github.com/tokio-rs/tokio/pull/6938 [#&#8203;6944]: https://github.com/tokio-rs/tokio/pull/6944 ### [`v1.41.0`](https://github.com/tokio-rs/tokio/releases/tag/tokio-1.41.0): Tokio v1.41.0 [Compare Source](https://github.com/tokio-rs/tokio/compare/tokio-1.40.0...tokio-1.41.0) ### 1.41.0 (Oct 22th, 2024) ##### Added - metrics: stabilize `global_queue_depth` ([#&#8203;6854], [#&#8203;6918]) - net: add conversions for unix `SocketAddr` ([#&#8203;6868]) - sync: add `watch::Sender::sender_count` ([#&#8203;6836]) - sync: add `mpsc::Receiver::blocking_recv_many` ([#&#8203;6867]) - task: stabilize `Id` apis ([#&#8203;6793], [#&#8203;6891]) ##### Added (unstable) - metrics: add H2 Histogram option to improve histogram granularity ([#&#8203;6897]) - metrics: rename some histogram apis ([#&#8203;6924]) - runtime: add `LocalRuntime` ([#&#8203;6808]) ##### Changed - runtime: box futures larger than 16k on release mode ([#&#8203;6826]) - sync: add `#[must_use]` to `Notified` ([#&#8203;6828]) - sync: make `watch` cooperative ([#&#8203;6846]) - sync: make `broadcast::Receiver` cooperative ([#&#8203;6870]) - task: add task size to tracing instrumentation ([#&#8203;6881]) - wasm: enable `cfg_fs` for `wasi` target ([#&#8203;6822]) ##### Fixed - net: fix regression of abstract socket path in unix socket ([#&#8203;6838]) ##### Documented - io: recommend `OwnedFd` with `AsyncFd` ([#&#8203;6821]) - io: document cancel safety of `AsyncFd` methods ([#&#8203;6890]) - macros: render more comprehensible documentation for `join` and `try_join` ([#&#8203;6814], [#&#8203;6841]) - net: fix swapped examples for `TcpSocket::set_nodelay` and `TcpSocket::nodelay` ([#&#8203;6840]) - sync: document runtime compatibility ([#&#8203;6833]) [#&#8203;6793]: https://github.com/tokio-rs/tokio/pull/6793 [#&#8203;6808]: https://github.com/tokio-rs/tokio/pull/6808 [#&#8203;6810]: https://github.com/tokio-rs/tokio/pull/6810 [#&#8203;6814]: https://github.com/tokio-rs/tokio/pull/6814 [#&#8203;6821]: https://github.com/tokio-rs/tokio/pull/6821 [#&#8203;6822]: https://github.com/tokio-rs/tokio/pull/6822 [#&#8203;6826]: https://github.com/tokio-rs/tokio/pull/6826 [#&#8203;6828]: https://github.com/tokio-rs/tokio/pull/6828 [#&#8203;6833]: https://github.com/tokio-rs/tokio/pull/6833 [#&#8203;6836]: https://github.com/tokio-rs/tokio/pull/6836 [#&#8203;6838]: https://github.com/tokio-rs/tokio/pull/6838 [#&#8203;6840]: https://github.com/tokio-rs/tokio/pull/6840 [#&#8203;6841]: https://github.com/tokio-rs/tokio/pull/6841 [#&#8203;6846]: https://github.com/tokio-rs/tokio/pull/6846 [#&#8203;6854]: https://github.com/tokio-rs/tokio/pull/6854 [#&#8203;6867]: https://github.com/tokio-rs/tokio/pull/6867 [#&#8203;6868]: https://github.com/tokio-rs/tokio/pull/6868 [#&#8203;6870]: https://github.com/tokio-rs/tokio/pull/6870 [#&#8203;6881]: https://github.com/tokio-rs/tokio/pull/6881 [#&#8203;6890]: https://github.com/tokio-rs/tokio/pull/6890 [#&#8203;6891]: https://github.com/tokio-rs/tokio/pull/6891 [#&#8203;6897]: https://github.com/tokio-rs/tokio/pull/6897 [#&#8203;6918]: https://github.com/tokio-rs/tokio/pull/6918 [#&#8203;6924]: https://github.com/tokio-rs/tokio/pull/6924 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS44Mi4zIiwidXBkYXRlZEluVmVyIjoiNDEuMTYzLjUiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbIidzZWN1cml0eSciXX0=-->
fix(deps): update rust crate tokio to v1.43.1 [security]
Some checks failed
Cargo Build & Test / Test publish (pull_request) Failing after 2s
Details
Cargo Build & Test / check-cargo-version (pull_request) Failing after 14s
Details
Cargo Build & Test / Tests (pull_request) Successful in 1m49s
Details
3104603f89
Renovate changed title from fix(deps): update rust crate tokio to v1.43.1 [security] to chore(deps): update rust crate tokio to v1.43.1 [security] 2025-09-13 20:08:00 +00:00
Some checks failed
Cargo Build & Test / Test publish (pull_request) Failing after 2s
Required
Details
Cargo Build & Test / check-cargo-version (pull_request) Failing after 14s
Required
Details
Cargo Build & Test / Tests (pull_request) Successful in 1m49s
Required
Details
Some required checks were not successful.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin renovate/crate-tokio-vulnerability:renovate/crate-tokio-vulnerability
git switch renovate/crate-tokio-vulnerability
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
jank/loadstar!29
No description provided.