chore(deps): update rust crate tokio to v1.43.1 [security] #29

Open

Renovate wants to merge 1 commit from renovate/crate-tokio-vulnerability into main

pull from: renovate/crate-tokio-vulnerability

merge into: jank:main

jank:main

jank:renovate/actions-checkout-5.x

jank:renovate/actions-checkout-digest

jank:renovate/https-git.kjan.de-actions-cache-digest

jank:renovate/lock-file-maintenance

jank:renovate/dependencies-(major-and-minor)

Conversation 0 Commits 1 Files changed 1 +7 -7

Renovate commented 2025-08-21 15:07:02 +00:00

Collaborator

Copy link

This PR contains the following updates:

Package	Type	Update	Change
tokio (source)	dependencies	minor	1.40.0 -> 1.43.1

---

Broadcast channel calls clone in parallel, but does not require Sync

RUSTSEC-2025-0023

More information

Details

The broadcast channel internally calls clone on the stored value when
receiving it, and only requires T:Send. This means that using the broadcast
channel with values that are Send but not Sync can trigger unsoundness if
the clone implementation makes use of the value being !Sync.

Thank you to Austin Bonander for finding and reporting this issue.

Severity

Unknown

References

• https://crates.io/crates/tokio
• https://rustsec.org/advisories/RUSTSEC-2025-0023.html
• https://github.com/tokio-rs/tokio/pull/7232

This data is provided by OSV and the Rust Advisory Database (CC0 1.0).

---

Tokio broadcast channel calls clone in parallel, but does not require Sync

GHSA-rr8g-9fpq-6wmg

More information

Details

The broadcast channel internally calls clone on the stored value when receiving it, and only requires T:Send. This means that using the broadcast channel with values that are Send but not Sync can trigger unsoundness if the clone implementation makes use of the value being !Sync.

Thank you to Austin Bonander for finding and reporting this issue.

Severity

• CVSS Score: 2.7 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

• https://github.com/tokio-rs/tokio/pull/7232
• https://github.com/tokio-rs/tokio
• https://rustsec.org/advisories/RUSTSEC-2025-0023.html

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

tokio-rs/tokio (tokio)

v1.43.1

Compare Source

v1.43.0: Tokio v1.43.0

Compare Source

1.43.0 (Jan 8th, 2025)

Added

• net: add UdpSocket::peek methods (#​7068)
• net: add support for Haiku OS (#​7042)
• process: add Command::into_std() (#​7014)
• signal: add SignalKind::info on illumos (#​6995)
• signal: add support for realtime signals on illumos (#​7029)

Fixed

• io: don't call set_len before initializing vector in Blocking (#​7054)
• macros: suppress clippy::needless_return in #[tokio::main] (#​6874)
• runtime: fix thread parking on WebAssembly (#​7041)

Changes

• chore: use unsync loads for unsync_load (#​7073)
• io: use Buf::put_bytes in Repeat read impl (#​7055)
• task: drop the join waker of a task eagerly (#​6986)

Changes to unstable APIs

• metrics: improve flexibility of H2Histogram Configuration (#​6963)
• taskdump: add accessor methods for backtrace (#​6975)

Documented

• io: clarify ReadBuf::uninit allows initialized buffers as well (#​7053)
• net: fix ambiguity in TcpStream::try_write_vectored docs (#​7067)
• runtime: fix LocalRuntime doc links (#​7074)
• sync: extend documentation for watch::Receiver::wait_for (#​7038)
• sync: fix typos in OnceCell docs (#​7047)

v1.42.1: Tokio v1.42.1

Compare Source

This release fixes a soundness issue in the broadcast channel. The channel accepts values that are Send but !Sync. Previously, the channel called clone() on these values without synchronizing. This release fixes the channel by synchronizing calls to .clone() (Thanks Austin Bonander for finding and reporting the issue).

Fixed

• sync: synchronize clone() call in broadcast channel (#​7232)

v1.42.0: Tokio v1.42.0

Compare Source

1.42.0 (Dec 3rd, 2024)

Added

• io: add AsyncFd::{try_io, try_io_mut} (#​6967)

Fixed

• io: avoid ptr->ref->ptr roundtrip in RegistrationSet (#​6929)
• runtime: do not defer yield_now inside block_in_place (#​6999)

Changes

• io: simplify io readiness logic (#​6966)

Documented

• net: fix docs for tokio::net::unix::{pid_t, gid_t, uid_t} (#​6791)
• time: fix a typo in Instant docs (#​6982)

v1.41.1: Tokio v1.41.1

Compare Source

1.41.1 (Nov 7th, 2024)

Fixed

• metrics: fix bug with wrong number of buckets for the histogram (#​6957)
• net: display net requirement for net::UdpSocket in docs (#​6938)
• net: fix typo in TcpStream internal comment (#​6944)

v1.41.0: Tokio v1.41.0

Compare Source

1.41.0 (Oct 22th, 2024)

Added

• metrics: stabilize global_queue_depth (#​6854, #​6918)
• net: add conversions for unix SocketAddr (#​6868)
• sync: add watch::Sender::sender_count (#​6836)
• sync: add mpsc::Receiver::blocking_recv_many (#​6867)
• task: stabilize Id apis (#​6793, #​6891)

Added (unstable)

• metrics: add H2 Histogram option to improve histogram granularity (#​6897)
• metrics: rename some histogram apis (#​6924)
• runtime: add LocalRuntime (#​6808)

Changed

• runtime: box futures larger than 16k on release mode (#​6826)
• sync: add #[must_use] to Notified (#​6828)
• sync: make watch cooperative (#​6846)
• sync: make broadcast::Receiver cooperative (#​6870)
• task: add task size to tracing instrumentation (#​6881)
• wasm: enable cfg_fs for wasi target (#​6822)

Fixed

• net: fix regression of abstract socket path in unix socket (#​6838)

Documented

• io: recommend OwnedFd with AsyncFd (#​6821)
• io: document cancel safety of AsyncFd methods (#​6890)
• macros: render more comprehensible documentation for join and try_join (#​6814, #​6841)
• net: fix swapped examples for TcpSocket::set_nodelay and TcpSocket::nodelay (#​6840)
• sync: document runtime compatibility (#​6833)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [tokio](https://tokio.rs) ([source](https://github.com/tokio-rs/tokio)) | dependencies | minor | `1.40.0` -> `1.43.1` | --- ### Broadcast channel calls clone in parallel, but does not require `Sync` [RUSTSEC-2025-0023](https://rustsec.org/advisories/RUSTSEC-2025-0023.html) <details> <summary>More information</summary> #### Details The broadcast channel internally calls `clone` on the stored value when receiving it, and only requires `T:Send`. This means that using the broadcast channel with values that are `Send` but not `Sync` can trigger unsoundness if the `clone` implementation makes use of the value being `!Sync`. Thank you to Austin Bonander for finding and reporting this issue. #### Severity Unknown #### References - [https://crates.io/crates/tokio](https://crates.io/crates/tokio) - [https://rustsec.org/advisories/RUSTSEC-2025-0023.html](https://rustsec.org/advisories/RUSTSEC-2025-0023.html) - [https://github.com/tokio-rs/tokio/pull/7232](https://github.com/tokio-rs/tokio/pull/7232) This data is provided by [OSV](https://osv.dev/vulnerability/RUSTSEC-2025-0023) and the [Rust Advisory Database](https://github.com/RustSec/advisory-db) ([CC0 1.0](https://github.com/rustsec/advisory-db/blob/main/LICENSE.txt)). </details> --- ### Tokio broadcast channel calls clone in parallel, but does not require `Sync` [GHSA-rr8g-9fpq-6wmg](https://github.com/advisories/GHSA-rr8g-9fpq-6wmg) <details> <summary>More information</summary> #### Details The broadcast channel internally calls `clone` on the stored value when receiving it, and only requires `T:Send`. This means that using the broadcast channel with values that are `Send` but not `Sync` can trigger unsoundness if the `clone` implementation makes use of the value being `!Sync`. Thank you to Austin Bonander for finding and reporting this issue. #### Severity - CVSS Score: 2.7 / 10 (Low) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U` #### References - [https://github.com/tokio-rs/tokio/pull/7232](https://github.com/tokio-rs/tokio/pull/7232) - [https://github.com/tokio-rs/tokio](https://github.com/tokio-rs/tokio) - [https://rustsec.org/advisories/RUSTSEC-2025-0023.html](https://rustsec.org/advisories/RUSTSEC-2025-0023.html) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-rr8g-9fpq-6wmg) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>tokio-rs/tokio (tokio)</summary> ### [`v1.43.1`](https://github.com/tokio-rs/tokio/compare/tokio-1.43.0...tokio-1.43.1) [Compare Source](https://github.com/tokio-rs/tokio/compare/tokio-1.43.0...tokio-1.43.1) ### [`v1.43.0`](https://github.com/tokio-rs/tokio/releases/tag/tokio-1.43.0): Tokio v1.43.0 [Compare Source](https://github.com/tokio-rs/tokio/compare/tokio-1.42.1...tokio-1.43.0) ### 1.43.0 (Jan 8th, 2025) ##### Added - net: add `UdpSocket::peek` methods ([#&#8203;7068]) - net: add support for Haiku OS ([#&#8203;7042]) - process: add `Command::into_std()` ([#&#8203;7014]) - signal: add `SignalKind::info` on illumos ([#&#8203;6995]) - signal: add support for realtime signals on illumos ([#&#8203;7029]) ##### Fixed - io: don't call `set_len` before initializing vector in `Blocking` ([#&#8203;7054]) - macros: suppress `clippy::needless_return` in `#[tokio::main]` ([#&#8203;6874]) - runtime: fix thread parking on WebAssembly ([#&#8203;7041]) ##### Changes - chore: use unsync loads for `unsync_load` ([#&#8203;7073]) - io: use `Buf::put_bytes` in `Repeat` read impl ([#&#8203;7055]) - task: drop the join waker of a task eagerly ([#&#8203;6986]) ##### Changes to unstable APIs - metrics: improve flexibility of H2Histogram Configuration ([#&#8203;6963]) - taskdump: add accessor methods for backtrace ([#&#8203;6975]) ##### Documented - io: clarify `ReadBuf::uninit` allows initialized buffers as well ([#&#8203;7053]) - net: fix ambiguity in `TcpStream::try_write_vectored` docs ([#&#8203;7067]) - runtime: fix `LocalRuntime` doc links ([#&#8203;7074]) - sync: extend documentation for `watch::Receiver::wait_for` ([#&#8203;7038]) - sync: fix typos in `OnceCell` docs ([#&#8203;7047]) [#&#8203;6874]: https://github.com/tokio-rs/tokio/pull/6874 [#&#8203;6963]: https://github.com/tokio-rs/tokio/pull/6963 [#&#8203;6975]: https://github.com/tokio-rs/tokio/pull/6975 [#&#8203;6986]: https://github.com/tokio-rs/tokio/pull/6986 [#&#8203;6995]: https://github.com/tokio-rs/tokio/pull/6995 [#&#8203;7014]: https://github.com/tokio-rs/tokio/pull/7014 [#&#8203;7029]: https://github.com/tokio-rs/tokio/pull/7029 [#&#8203;7038]: https://github.com/tokio-rs/tokio/pull/7038 [#&#8203;7041]: https://github.com/tokio-rs/tokio/pull/7041 [#&#8203;7042]: https://github.com/tokio-rs/tokio/pull/7042 [#&#8203;7047]: https://github.com/tokio-rs/tokio/pull/7047 [#&#8203;7053]: https://github.com/tokio-rs/tokio/pull/7053 [#&#8203;7054]: https://github.com/tokio-rs/tokio/pull/7054 [#&#8203;7055]: https://github.com/tokio-rs/tokio/pull/7055 [#&#8203;7067]: https://github.com/tokio-rs/tokio/pull/7067 [#&#8203;7068]: https://github.com/tokio-rs/tokio/pull/7068 [#&#8203;7073]: https://github.com/tokio-rs/tokio/pull/7073 [#&#8203;7074]: https://github.com/tokio-rs/tokio/pull/7074 ### [`v1.42.1`](https://github.com/tokio-rs/tokio/releases/tag/tokio-1.42.1): Tokio v1.42.1 [Compare Source](https://github.com/tokio-rs/tokio/compare/tokio-1.42.0...tokio-1.42.1) This release fixes a soundness issue in the broadcast channel. The channel accepts values that are `Send` but `!Sync`. Previously, the channel called `clone()` on these values without synchronizing. This release fixes the channel by synchronizing calls to `.clone()` (Thanks Austin Bonander for finding and reporting the issue). ##### Fixed - sync: synchronize `clone()` call in broadcast channel ([#&#8203;7232]) [#&#8203;7232]: https://github.com/tokio-rs/tokio/pull/7232 ### [`v1.42.0`](https://github.com/tokio-rs/tokio/releases/tag/tokio-1.42.0): Tokio v1.42.0 [Compare Source](https://github.com/tokio-rs/tokio/compare/tokio-1.41.1...tokio-1.42.0) ### 1.42.0 (Dec 3rd, 2024) ##### Added - io: add `AsyncFd::{try_io, try_io_mut}` ([#&#8203;6967]) ##### Fixed - io: avoid `ptr->ref->ptr` roundtrip in RegistrationSet ([#&#8203;6929]) - runtime: do not defer `yield_now` inside `block_in_place` ([#&#8203;6999]) ##### Changes - io: simplify io readiness logic ([#&#8203;6966]) ##### Documented - net: fix docs for `tokio::net::unix::{pid_t, gid_t, uid_t}` ([#&#8203;6791]) - time: fix a typo in `Instant` docs ([#&#8203;6982]) [#&#8203;6791]: https://github.com/tokio-rs/tokio/pull/6791 [#&#8203;6929]: https://github.com/tokio-rs/tokio/pull/6929 [#&#8203;6966]: https://github.com/tokio-rs/tokio/pull/6966 [#&#8203;6967]: https://github.com/tokio-rs/tokio/pull/6967 [#&#8203;6982]: https://github.com/tokio-rs/tokio/pull/6982 [#&#8203;6999]: https://github.com/tokio-rs/tokio/pull/6999 ### [`v1.41.1`](https://github.com/tokio-rs/tokio/releases/tag/tokio-1.41.1): Tokio v1.41.1 [Compare Source](https://github.com/tokio-rs/tokio/compare/tokio-1.41.0...tokio-1.41.1) ### 1.41.1 (Nov 7th, 2024) ##### Fixed - metrics: fix bug with wrong number of buckets for the histogram ([#&#8203;6957]) - net: display `net` requirement for `net::UdpSocket` in docs ([#&#8203;6938]) - net: fix typo in `TcpStream` internal comment ([#&#8203;6944]) [#&#8203;6957]: https://github.com/tokio-rs/tokio/pull/6957 [#&#8203;6938]: https://github.com/tokio-rs/tokio/pull/6938 [#&#8203;6944]: https://github.com/tokio-rs/tokio/pull/6944 ### [`v1.41.0`](https://github.com/tokio-rs/tokio/releases/tag/tokio-1.41.0): Tokio v1.41.0 [Compare Source](https://github.com/tokio-rs/tokio/compare/tokio-1.40.0...tokio-1.41.0) ### 1.41.0 (Oct 22th, 2024) ##### Added - metrics: stabilize `global_queue_depth` ([#&#8203;6854], [#&#8203;6918]) - net: add conversions for unix `SocketAddr` ([#&#8203;6868]) - sync: add `watch::Sender::sender_count` ([#&#8203;6836]) - sync: add `mpsc::Receiver::blocking_recv_many` ([#&#8203;6867]) - task: stabilize `Id` apis ([#&#8203;6793], [#&#8203;6891]) ##### Added (unstable) - metrics: add H2 Histogram option to improve histogram granularity ([#&#8203;6897]) - metrics: rename some histogram apis ([#&#8203;6924]) - runtime: add `LocalRuntime` ([#&#8203;6808]) ##### Changed - runtime: box futures larger than 16k on release mode ([#&#8203;6826]) - sync: add `#[must_use]` to `Notified` ([#&#8203;6828]) - sync: make `watch` cooperative ([#&#8203;6846]) - sync: make `broadcast::Receiver` cooperative ([#&#8203;6870]) - task: add task size to tracing instrumentation ([#&#8203;6881]) - wasm: enable `cfg_fs` for `wasi` target ([#&#8203;6822]) ##### Fixed - net: fix regression of abstract socket path in unix socket ([#&#8203;6838]) ##### Documented - io: recommend `OwnedFd` with `AsyncFd` ([#&#8203;6821]) - io: document cancel safety of `AsyncFd` methods ([#&#8203;6890]) - macros: render more comprehensible documentation for `join` and `try_join` ([#&#8203;6814], [#&#8203;6841]) - net: fix swapped examples for `TcpSocket::set_nodelay` and `TcpSocket::nodelay` ([#&#8203;6840]) - sync: document runtime compatibility ([#&#8203;6833]) [#&#8203;6793]: https://github.com/tokio-rs/tokio/pull/6793 [#&#8203;6808]: https://github.com/tokio-rs/tokio/pull/6808 [#&#8203;6810]: https://github.com/tokio-rs/tokio/pull/6810 [#&#8203;6814]: https://github.com/tokio-rs/tokio/pull/6814 [#&#8203;6821]: https://github.com/tokio-rs/tokio/pull/6821 [#&#8203;6822]: https://github.com/tokio-rs/tokio/pull/6822 [#&#8203;6826]: https://github.com/tokio-rs/tokio/pull/6826 [#&#8203;6828]: https://github.com/tokio-rs/tokio/pull/6828 [#&#8203;6833]: https://github.com/tokio-rs/tokio/pull/6833 [#&#8203;6836]: https://github.com/tokio-rs/tokio/pull/6836 [#&#8203;6838]: https://github.com/tokio-rs/tokio/pull/6838 [#&#8203;6840]: https://github.com/tokio-rs/tokio/pull/6840 [#&#8203;6841]: https://github.com/tokio-rs/tokio/pull/6841 [#&#8203;6846]: https://github.com/tokio-rs/tokio/pull/6846 [#&#8203;6854]: https://github.com/tokio-rs/tokio/pull/6854 [#&#8203;6867]: https://github.com/tokio-rs/tokio/pull/6867 [#&#8203;6868]: https://github.com/tokio-rs/tokio/pull/6868 [#&#8203;6870]: https://github.com/tokio-rs/tokio/pull/6870 [#&#8203;6881]: https://github.com/tokio-rs/tokio/pull/6881 [#&#8203;6890]: https://github.com/tokio-rs/tokio/pull/6890 [#&#8203;6891]: https://github.com/tokio-rs/tokio/pull/6891 [#&#8203;6897]: https://github.com/tokio-rs/tokio/pull/6897 [#&#8203;6918]: https://github.com/tokio-rs/tokio/pull/6918 [#&#8203;6924]: https://github.com/tokio-rs/tokio/pull/6924 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS44Mi4zIiwidXBkYXRlZEluVmVyIjoiNDEuMTEzLjIiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbIidzZWN1cml0eSciXX0=-->

Renovate added 1 commit 2025-08-21 15:07:03 +00:00

fix(deps): update rust crate tokio to v1.43.1 [security] 3104603f89

Renovate changed title from fix(deps): update rust crate tokio to v1.43.1 [security] to chore(deps): update rust crate tokio to v1.43.1 [security] 2025-09-13 20:08:00 +00:00

Some checks failed

Hide all checks

Cargo Build & Test / Test publish (pull_request) Failing after 2s

Required

Details

Cargo Build & Test / check-cargo-version (pull_request) Failing after 14s

Required

Details

Cargo Build & Test / Tests (pull_request) Successful in 1m49s

Required

Details

Some required checks were not successful.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate/crate-tokio-vulnerability:renovate/crate-tokio-vulnerability

git switch renovate/crate-tokio-vulnerability

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: jank/loadstar#29

No description provided.