Skip to content

chore(deps): update rust crate tokio to v1.43.1 [security] - autoclosed#170

Closed
renovate[bot] wants to merge 1 commit intomainfrom
renovate/crate-tokio-vulnerability
Closed

chore(deps): update rust crate tokio to v1.43.1 [security] - autoclosed#170
renovate[bot] wants to merge 1 commit intomainfrom
renovate/crate-tokio-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Apr 7, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
tokio (source) dependencies minor 1.42.01.43.1

GitHub Vulnerability Alerts

GHSA-rr8g-9fpq-6wmg

The broadcast channel internally calls clone on the stored value when receiving it, and only requires T:Send. This means that using the broadcast channel with values that are Send but not Sync can trigger unsoundness if the clone implementation makes use of the value being !Sync.

Thank you to Austin Bonander for finding and reporting this issue.

Release Notes

tokio-rs/tokio (tokio)

v1.43.1

Compare Source

v1.43.0: Tokio v1.43.0

Compare Source

1.43.0 (Jan 8th, 2025)

Added
  • net: add UdpSocket::peek methods (#​7068)
  • net: add support for Haiku OS (#​7042)
  • process: add Command::into_std() (#​7014)
  • signal: add SignalKind::info on illumos (#​6995)
  • signal: add support for realtime signals on illumos (#​7029)
Fixed
  • io: don't call set_len before initializing vector in Blocking (#​7054)
  • macros: suppress clippy::needless_return in #[tokio::main] (#​6874)
  • runtime: fix thread parking on WebAssembly (#​7041)
Changes
  • chore: use unsync loads for unsync_load (#​7073)
  • io: use Buf::put_bytes in Repeat read impl (#​7055)
  • task: drop the join waker of a task eagerly (#​6986)
Changes to unstable APIs
  • metrics: improve flexibility of H2Histogram Configuration (#​6963)
  • taskdump: add accessor methods for backtrace (#​6975)
Documented
  • io: clarify ReadBuf::uninit allows initialized buffers as well (#​7053)
  • net: fix ambiguity in TcpStream::try_write_vectored docs (#​7067)
  • runtime: fix LocalRuntime doc links (#​7074)
  • sync: extend documentation for watch::Receiver::wait_for (#​7038)
  • sync: fix typos in OnceCell docs (#​7047)

v1.42.1: Tokio v1.42.1

Compare Source

This release fixes a soundness issue in the broadcast channel. The channel accepts values that are Send but !Sync. Previously, the channel called clone() on these values without synchronizing. This release fixes the channel by synchronizing calls to .clone() (Thanks Austin Bonander for finding and reporting the issue).

Fixed
  • sync: synchronize clone() call in broadcast channel (#​7232)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from bartvdbraak April 7, 2025 22:39
@renovate renovate bot force-pushed the renovate/crate-tokio-vulnerability branch from b75b8f9 to c2c282b Compare August 10, 2025 12:44
@renovate renovate bot changed the title fix(deps): update rust crate tokio to v1.43.1 [security] chore(deps): update rust crate tokio to v1.43.1 [security] Sep 25, 2025
@renovate renovate bot force-pushed the renovate/crate-tokio-vulnerability branch from c2c282b to 81cfec8 Compare December 10, 2025 11:11
@renovate renovate bot force-pushed the renovate/crate-tokio-vulnerability branch from 81cfec8 to 45e8730 Compare February 2, 2026 19:00
@renovate renovate bot force-pushed the renovate/crate-tokio-vulnerability branch from 45e8730 to 167fdec Compare February 12, 2026 15:43
@renovate renovate bot force-pushed the renovate/crate-tokio-vulnerability branch from 167fdec to 5758c6d Compare February 25, 2026 12:02
@renovate renovate bot force-pushed the renovate/crate-tokio-vulnerability branch from 5758c6d to c05fe08 Compare March 14, 2026 06:48
@renovate renovate bot changed the title chore(deps): update rust crate tokio to v1.43.1 [security] chore(deps): update rust crate tokio to v1.43.1 [security] - autoclosed Mar 27, 2026
@renovate renovate bot closed this Mar 27, 2026
@renovate renovate bot deleted the renovate/crate-tokio-vulnerability branch March 27, 2026 05:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bartvdbraak bartvdbraak Awaiting requested review from bartvdbraak

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants