Skip to content

[deps]: Update Rust crate tokio to v1.43.1 [SECURITY] #1227

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 27, 2025

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 7, 2025

This PR contains the following updates:

Package Type Update Change
tokio (source) dependencies minor 1.40.0 -> 1.43.1
tokio (source) workspace.dependencies minor 1.40.0 -> 1.43.1

GitHub Vulnerability Alerts

GHSA-rr8g-9fpq-6wmg

The broadcast channel internally calls clone on the stored value when receiving it, and only requires T:Send. This means that using the broadcast channel with values that are Send but not Sync can trigger unsoundness if the clone implementation makes use of the value being !Sync.

Thank you to Austin Bonander for finding and reporting this issue.


Release Notes

tokio-rs/tokio (tokio)

v1.43.1

Compare Source

v1.43.0: Tokio v1.43.0

Compare Source

1.43.0 (Jan 8th, 2025)

Added
  • net: add UdpSocket::peek methods (#​7068)
  • net: add support for Haiku OS (#​7042)
  • process: add Command::into_std() (#​7014)
  • signal: add SignalKind::info on illumos (#​6995)
  • signal: add support for realtime signals on illumos (#​7029)
Fixed
  • io: don't call set_len before initializing vector in Blocking (#​7054)
  • macros: suppress clippy::needless_return in #[tokio::main] (#​6874)
  • runtime: fix thread parking on WebAssembly (#​7041)
Changes
  • chore: use unsync loads for unsync_load (#​7073)
  • io: use Buf::put_bytes in Repeat read impl (#​7055)
  • task: drop the join waker of a task eagerly (#​6986)
Changes to unstable APIs
  • metrics: improve flexibility of H2Histogram Configuration (#​6963)
  • taskdump: add accessor methods for backtrace (#​6975)
Documented
  • io: clarify ReadBuf::uninit allows initialized buffers as well (#​7053)
  • net: fix ambiguity in TcpStream::try_write_vectored docs (#​7067)
  • runtime: fix LocalRuntime doc links (#​7074)
  • sync: extend documentation for watch::Receiver::wait_for (#​7038)
  • sync: fix typos in OnceCell docs (#​7047)

v1.42.1: Tokio v1.42.1

Compare Source

This release fixes a soundness issue in the broadcast channel. The channel accepts values that are Send but !Sync. Previously, the channel called clone() on these values without synchronizing. This release fixes the channel by synchronizing calls to .clone() (Thanks Austin Bonander for finding and reporting the issue).

Fixed
  • sync: synchronize clone() call in broadcast channel (#​7232)

v1.42.0: Tokio v1.42.0

Compare Source

1.42.0 (Dec 3rd, 2024)

Added
  • io: add AsyncFd::{try_io, try_io_mut} (#​6967)
Fixed
  • io: avoid ptr->ref->ptr roundtrip in RegistrationSet (#​6929)
  • runtime: do not defer yield_now inside block_in_place (#​6999)
Changes
  • io: simplify io readiness logic (#​6966)
Documented
  • net: fix docs for tokio::net::unix::{pid_t, gid_t, uid_t} (#​6791)
  • time: fix a typo in Instant docs (#​6982)

v1.41.1: Tokio v1.41.1

Compare Source

1.41.1 (Nov 7th, 2024)

Fixed
  • metrics: fix bug with wrong number of buckets for the histogram (#​6957)
  • net: display net requirement for net::UdpSocket in docs (#​6938)
  • net: fix typo in TcpStream internal comment (#​6944)

v1.41.0: Tokio v1.41.0

Compare Source

1.41.0 (Oct 22th, 2024)

Added
Added (unstable)
  • metrics: add H2 Histogram option to improve histogram granularity (#​6897)
  • metrics: rename some histogram apis (#​6924)
  • runtime: add LocalRuntime (#​6808)
Changed
  • runtime: box futures larger than 16k on release mode (#​6826)
  • sync: add #[must_use] to Notified (#​6828)
  • sync: make watch cooperative (#​6846)
  • sync: make broadcast::Receiver cooperative (#​6870)
  • task: add task size to tracing instrumentation (#​6881)
  • wasm: enable cfg_fs for wasi target (#​6822)
Fixed
  • net: fix regression of abstract socket path in unix socket (#​6838)
Documented
  • io: recommend OwnedFd with AsyncFd (#​6821)
  • io: document cancel safety of AsyncFd methods (#​6890)
  • macros: render more comprehensible documentation for join and try_join (#​6814, #​6841)
  • net: fix swapped examples for TcpSocket::set_nodelay and TcpSocket::nodelay (#​6840)
  • sync: document runtime compatibility (#​6833)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the security label Apr 7, 2025
Copy link

codecov bot commented Apr 7, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Please upload report for BASE (main@8a2acc7). Learn more about missing BASE report.
Report is 1 commits behind head on main.

Additional details and impacted files
@@          Coverage Diff           @@
##             main   #1227   +/-   ##
======================================
  Coverage        ?   9.64%           
======================================
  Files           ?      19           
  Lines           ?    1161           
  Branches        ?       0           
======================================
  Hits            ?     112           
  Misses          ?    1049           
  Partials        ?       0           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copy link

sonarqubecloud bot commented Apr 9, 2025

Copy link
Contributor

github-actions bot commented Apr 9, 2025

Logo
Checkmarx One – Scan Summary & Details683825a4-547c-46dd-abbd-b3d88e93f0be

Great job, no security vulnerabilities found in this Pull Request

@renovate renovate bot force-pushed the renovate/crate-tokio-vulnerability branch from 31a1e55 to f9c3470 Compare June 25, 2025 19:08
@renovate renovate bot requested a review from a team as a code owner June 25, 2025 19:08
@tangowithfoxtrot tangowithfoxtrot enabled auto-merge (squash) June 27, 2025 17:41
@tangowithfoxtrot tangowithfoxtrot merged commit 62234b7 into main Jun 27, 2025
86 of 90 checks passed
@tangowithfoxtrot tangowithfoxtrot deleted the renovate/crate-tokio-vulnerability branch June 27, 2025 17:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant