Deps.rs

equalitie / ouisync

[![dependency status](https://deps.rs/repo/github/equalitie/ouisync/status.svg)](https://deps.rs/repo/github/equalitie/ouisync)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate ouisync-api-parser

No external dependencies! 🙌

Crate ouisync-cli

Dependencies

(7 total, 2 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 bytes ⚠️^1.4.01.11.1maybe insecure
 dirs^5.0.16.0.0out of date
 hyper^1.4.11.8.1up to date
 interprocess^2.2.32.3.0up to date
 maxminddb ⚠️^0.24.00.27.1out of date
 walkdir^2.5.02.5.0up to date
 async-channel^2.3.12.5.0up to date

Dev dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 backoff^0.4.00.4.0up to date
 hex^0.4.30.4.3up to date

Crate deadlock

No external dependencies! 🙌

Crate fs_util

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 walkdir^2.5.02.5.0up to date

Crate ouisync

Dependencies

(23 total, 3 outdated)

CrateRequiredLatestStatus
 argon2^0.5.30.5.3up to date
 async-recursion^1.1.11.1.1up to date
 backoff^0.4.00.4.0up to date
 base64^0.22.10.22.1up to date
 bincode^1.33.0.0out of date
 blake3^1.8.21.8.3up to date
 chacha20^0.9.10.9.1up to date
 ed25519-dalek^2.02.2.0up to date
 either^1.15.01.15.0up to date
 generic-array^0.14.71.3.5out of date
 if-watch^3.2.03.2.1up to date
 include_dir^0.7.30.7.4up to date
 noise-protocol^0.2.00.2.0up to date
 noise-rust-crypto^0.6.10.6.2up to date
 parse-size^1.0.01.1.0up to date
 ref-cast^1.0.141.0.25up to date
 rupnp^2.0.03.0.0out of date
 ssdp-client^2.0.02.1.0up to date
 subtle^2.5.02.6.1up to date
 xxhash-rust^0.8.120.8.15up to date
 urlencoding^2.1.02.1.3up to date
 vint64^1.0.11.0.1up to date
 zeroize^1.6.01.8.2up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 hdrhistogram^7.5.47.5.4up to date

Crate logtee

Dependencies

(4 total, all up-to-date)

CrateRequiredLatestStatus
 file-rotate^0.8.00.8.0up to date
 strip-ansi-escapes^0.2.10.2.1up to date
 filedescriptor^0.8.30.8.3up to date
 libc^0.2.1780.2.180up to date

Dev dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 paranoid-android^0.2.20.2.2up to date
 regex^1.11.11.12.3up to date

Crate ouisync-macros

No external dependencies! 🙌

Crate metrics_ext

No external dependencies! 🙌

Crate ouisync-net

Dependencies

(7 total, 3 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 bytecodec^0.4.150.5.0out of date
 bytes ⚠️^1.1.01.11.1maybe insecure
 quinn^0.11.90.11.9up to date
 socket2^0.6.10.6.2up to date
 stun_codec^0.3.40.4.0out of date
 thiserror^1.0.312.0.18out of date
 yamux^0.13.30.13.8up to date

Dev dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 itertools^0.13.00.14.0out of date

Crate ouisync-rand

Dependencies

(2 total, 1 outdated)

CrateRequiredLatestStatus
 rand^0.8.50.9.2out of date
 siphasher^1.0.11.0.2up to date

Crate scoped_task

No external dependencies! 🙌

Crate ouisync-service

Dependencies

(6 total, 2 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 hyper^1.4.11.8.1up to date
 hyper-util^0.1.140.1.20up to date
 interprocess^2.2.22.3.0up to date
 maxminddb ⚠️^0.24.00.27.1out of date
 tokio-tungstenite^0.24.00.28.0out of date
 paranoid-android^0.2.20.2.2up to date

Crate state_monitor

No external dependencies! 🙌

Crate ouisync-tracing-fmt

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 ansi_term^0.12.10.12.1up to date

Crate benchtool

Dependencies

(2 total, 1 outdated)

CrateRequiredLatestStatus
 comfy-table^7.1.17.2.2up to date
 indicatif^0.17.80.18.3out of date

Crate ouisync-bindgen

No external dependencies! 🙌

Crate ouisync-utilities

Dependencies

(4 total, all up-to-date)

CrateRequiredLatestStatus
 futures-util^0.3.210.3.31up to date
 env_logger^0.11.50.11.8up to date
 log^0.4.170.4.29up to date
 structopt^0.3.260.3.26up to date

Crate ouisync-protocol-analyzer

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 chrono^0.4.310.4.43up to date

Crate ouisync-repogen

No external dependencies! 🙌

Crate ouisync-repo-tool

No external dependencies! 🙌

Crate ouisync-stress-test

No external dependencies! 🙌

Crate stun-server-list

No external dependencies! 🙌

Crate ouisync-swarm

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 ctrlc^3.4.53.5.1up to date
 os_pipe^1.1.41.2.3up to date
 libc^0.2.1260.2.180up to date

Crate ouisync-vfs

Dependencies

(6 total, 1 outdated)

CrateRequiredLatestStatus
 camino^1.0.91.2.2up to date
 slab^0.4.60.4.12up to date
 fuser^0.15.00.16.0out of date
 bitflags^2.6.02.10.0up to date
 xpc-connection^0.2.30.2.3up to date
 widestring^1.0.21.2.1up to date

Security Vulnerabilities

maxminddb: `Reader::open_mmap` unsoundly marks unsafe memmap operation as safe

RUSTSEC-2025-0132

maxminddb prior to version 0.27 declared Reader::open_mmap as safe despite wrapping an inherently unsafe memmap2 operation with no extra step done to guarantee safety. This could have led to undefined behaviour if the file were to be modified on disk while the memory map was still active.

bytes: Integer overflow in `BytesMut::reserve`

RUSTSEC-2026-0007

In the unique reclaim path of BytesMut::reserve, the condition

if v_capacity >= new_cap + offset

uses an unchecked addition. When new_cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as spare_capacity_mut() then trust this corrupted cap value and may create out-of-bounds slices, leading to UB.

This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks.

PoC

use bytes::*;

fn main() {
    let mut a = BytesMut::from(&b"hello world"[..]);
    let mut b = a.split_off(5);

    // Ensure b becomes the unique owner of the backing storage
    drop(a);

    // Trigger overflow in new_cap + offset inside reserve
    b.reserve(usize::MAX - 6);

    // This call relies on the corrupted cap and may cause UB & HBO
    b.put_u8(b'h');
}

Workarounds

Users of BytesMut::reserve are only affected if integer overflow checks are configured to wrap. When integer overflow is configured to panic, this issue does not apply.