This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate azul-examples

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 serde^11.0.228up to date
 serde_derive^11.0.228up to date
 serde_json^11.0.150up to date

Crate azul-paint

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 ctor^0.21.0.7out of date

Crate azul-widgets

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 ctor^0.21.0.7out of date

Crate azul-maps

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 ctor^0.21.0.7out of date

Crate azul-vault

No external dependencies! 🙌

Crate azul-writer

No external dependencies! 🙌

Crate azul-gamepad

No external dependencies! 🙌

Crate azul-camera-app

No external dependencies! 🙌

Crate azul-screenshare-app

No external dependencies! 🙌

Crate azul-video-app

No external dependencies! 🙌

Crate azul-meet

No external dependencies! 🙌

Crate azul-self-test

Dependencies

(2 total, 1 outdated)

CrateRequiredLatestStatus
 log^0.40.4.33up to date
 ctor^0.21.0.7out of date

Crate azul-dll

Dependencies

(75 total, 11 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 log^0.4.170.4.33up to date
 fern^0.7.10.7.1up to date
 backtrace^0.3.660.3.76up to date
 pyo3 ⚠️^0.27.10.29.0out of date
 pyo3-log^0.13.20.13.4up to date
 ext-php-rs^0.150.15.15up to date
 rust-fontconfig^4.4.14.4.4up to date
 gl-context-loader^0.1.80.1.10up to date
 once_cell^1.17.11.21.4up to date
 bitflags^2.8.02.13.0up to date
 serde^1.01.0.228up to date
 serde_json^1.01.0.150up to date
 postcard^1.01.1.3up to date
 base64^0.220.22.1up to date
 accesskit^0.240.24.1up to date
 png^0.180.18.1up to date
 mp4^0.140.14.0up to date
 libm^0.2.20.2.16up to date
 strum^0.280.28.0up to date
 spmc^0.30.3.0up to date
 cfg-if^1.01.0.4up to date
 brotli-decompressor^55.0.3up to date
 goblin^0.100.10.7up to date
 pdb^0.80.8.0up to date
 iced-x86^1.211.21.0up to date
 mimalloc^0.10.1.52up to date
 tikv-jemallocator^0.60.7.0out of date
 mvt-reader^2.1.02.4.0up to date
 geo-types^0.70.7.19up to date
 proj4rs^0.10.1.10up to date
 geojson^0.241.0.0out of date
 turso^0.10.6.1out of date
 aegis^0.90.9.12up to date
 printpdf^0.9.10.9.1up to date
 tfd^0.1.00.1.0up to date
 gilrs^0.110.11.2up to date
 libc^0.20.2.186up to date
 x11-clipboard^0.9.30.9.3up to date
 accesskit_unix^0.210.22.0out of date
 zbus^55.16.0up to date
 libloading^0.8.60.9.0out of date
 gpu-video^0.4.00.4.0up to date
 objc^0.20.2.7up to date
 objc-foundation^0.10.1.1up to date
 objc_id^0.10.1.1up to date
 objc2^0.6.00.6.4up to date
 block2^0.6.00.6.2up to date
 objc2-foundation^0.3.00.3.2up to date
 objc2-local-authentication^0.3.20.3.2up to date
 security-framework^33.7.0up to date
 objc2-core-motion^0.3.20.3.2up to date
 objc2-av-foundation^0.3.00.3.2up to date
 objc2-core-media^0.3.00.3.2up to date
 objc2-core-video^0.3.00.3.2up to date
 dispatch2^0.3.00.3.1up to date
 objc2-avf-audio^0.3.00.3.2up to date
 android-activity^0.60.6.1up to date
 ndk^0.90.9.0up to date
 ndk-sys^0.60.6.0+11769913up to date
 android_logger^0.140.15.1out of date
 jni^0.210.22.4out of date
 cpal^0.150.18.1out of date
 winapi^0.3.90.3.9up to date
 windows^0.620.62.2up to date
 windows-core^0.620.62.2up to date
 windows-future^0.30.3.2up to date
 pollster^0.40.4.0up to date
 clipboard-win^5.45.4.1up to date
 nokhwa^0.100.10.11up to date
 accesskit_windows^0.320.33.1out of date
 cgl^0.3.20.3.2up to date
 accesskit_macos^0.260.26.2up to date
 objc2-core-foundation^0.3.00.3.2up to date
 objc2-app-kit^0.3.00.3.2up to date
 getrandom^0.20.4.3out of date

Build dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 brotli^88.0.4up to date
 cc^1.01.2.65up to date

Crate azul-doc

Dependencies

(38 total, 9 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 serde^11.0.228up to date
 serde_derive^11.0.228up to date
 serde_json^11.0.150up to date
 anyhow^1.01.0.103up to date
 brotli^88.0.4up to date
 material-icons^0.30.3.0up to date
 indexmap^2.122.14.0up to date
 cargo-license^0.7.00.7.0up to date
 cargo_metadata^0.210.23.1out of date
 zip^6.0.08.6.0out of date
 open^5.3.25.3.6up to date
 tempfile^3.19.13.27.0up to date
 comrak^0.48.00.53.0out of date
 chrono^0.4.400.4.45up to date
 image^0.250.25.10up to date
 base64^0.22.10.22.1up to date
 serde_yaml^0.90.9.34+deprecatedup to date
 syn^2.0.1012.0.118up to date
 quote^1.0.401.0.46up to date
 ignore^0.4.230.4.27up to date
 cargo_toml^0.22.11.0.0out of date
 proc-macro2^1.0.811.0.106up to date
 toml^0.9.81.1.2+spec-1.1.0out of date
 rayon^1.101.12.0up to date
 walkdir^22.5.0up to date
 thiserror^2.02.0.18up to date
 once_cell^1.201.21.4up to date
 colored^2.13.1.1out of date
 tiktoken-rs^0.60.12.0out of date
 ureq^3.33.3.0up to date
 rustls ⚠️^0.230.23.41maybe insecure
 rustls-rustcrypto^0.0.2-alphaN/Aup to date
 webpki-roots^1.01.0.8up to date
 libc^0.20.2.186up to date
 nanospinner^0.30.3.2up to date
 rust-fontconfig^4.4.14.4.4up to date
 tungstenite^0.240.29.0out of date
 sha2^0.100.11.0out of date

Crate azul-layout

Dependencies

(50 total, 6 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 image^0.250.25.10up to date
 zune-jpeg^0.50.5.15up to date
 rust-fontconfig^4.4.34.4.4up to date
 libc^0.20.2.186up to date
 serde^1.01.0.228up to date
 brotli-decompressor^55.0.3up to date
 accesskit^0.240.24.1up to date
 tinyvec^1.9.01.11.0up to date
 smallvec^1.131.15.2up to date
 lyon^1.0.11.0.19up to date
 agg-rust-azul^1.0.21.0.2up to date
 png^0.180.18.1up to date
 roxmltree^0.21.10.21.1up to date
 xmlwriter^0.1.00.1.0up to date
 xmlparser^0.13.60.13.6up to date
 gl-context-loader^0.1.80.1.10up to date
 unicode-bidi^0.3.180.3.18up to date
 thiserror^2.0.172.0.18up to date
 hyphenation^0.8.40.8.4up to date
 unicode-segmentation^1.12.01.13.3up to date
 unicode-normalization^0.1.240.1.25up to date
 allsorts-azul^0.16.50.16.5up to date
 lru^0.16.10.18.0out of date
 taffy^0.100.12.1out of date
 base64^0.22.10.22.1up to date
 strfmt^0.20.2.5up to date
 icu^2.12.2.0up to date
 icu_provider_blob^2.12.2.0up to date
 writeable^0.60.6.3up to date
 chrono ⚠️^0.40.4.45maybe insecure
 fluent^0.170.17.0up to date
 fluent-syntax^0.120.12.0up to date
 unic-langid^0.90.9.6up to date
 intl-memoizer^0.50.5.3up to date
 zip^2.18.6.0out of date
 material-icons^0.30.3.0up to date
 ureq^3.33.3.0up to date
 rustls ⚠️^0.230.23.41maybe insecure
 rustls-rustcrypto^0.0.2-alphaN/Aup to date
 webpki-roots^1.01.0.8up to date
 serde_json^1.01.0.150up to date
 dirs^6.06.0.0up to date
 tfd^0.10.1.0up to date
 objc2^0.6.00.6.4up to date
 objc2-foundation^0.3.00.3.2up to date
 core-foundation^0.100.10.1up to date
 core-graphics^0.230.25.0out of date
 core-text^20.122.0.0out of date
 libmimalloc-sys^0.10.1.49up to date
 tikv-jemalloc-sys^0.60.7.1+5.3.1-0-g81034ce1f1373e37dc865038e1bc8eeecf559ce8out of date

Crate azul-core

Dependencies

(6 total, all up-to-date)

CrateRequiredLatestStatus
 libm^0.2.20.2.16up to date
 gl-context-loader^0.1.90.1.10up to date
 rust-fontconfig^4.4.34.4.4up to date
 serde^1.01.0.228up to date
 serde_json^1.01.0.150up to date
 url^2.52.5.8up to date

Crate azul-css

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 libm^0.2.20.2.16up to date
 azul-simplecss^0.2.00.2.0up to date

Crate webrender

Dependencies

(18 total, 3 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 bincode^2.03.0.0out of date
 bitflags^22.13.0up to date
 byteorder^1.01.5.0up to date
 euclid^0.22.100.22.14up to date
 fxhash^0.2.10.2.1up to date
 lazy_static^11.5.0up to date
 log^0.40.4.33up to date
 num-traits^0.20.2.19up to date
 plane-split^0.180.18.0up to date
 rayon^11.12.0up to date
 smallvec^1.15.11.15.2up to date
 time ⚠️^0.30.3.53maybe insecure
 svg_fmt^0.40.4.5up to date
 brotli-decompressor^55.0.3up to date
 derive_more^2.02.1.1up to date
 etagere^0.2.130.3.0out of date
 topological-sort^0.20.2.2up to date
 allocator-api2^0.3.10.4.0out of date

Dev dependencies

(2 total, 1 outdated)

CrateRequiredLatestStatus
 mozangle^0.5.30.5.5up to date
 rand^0.90.10.2out of date

Build dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 brotli^88.0.4up to date

Crate webrender_api

Dependencies

(9 total, 1 possibly insecure)

CrateRequiredLatestStatus
 app_units^0.7.30.7.8up to date
 bitflags^22.13.0up to date
 byteorder^1.2.11.5.0up to date
 euclid^0.22.60.22.14up to date
 serde^1.01.0.228up to date
 serde_derive^1.01.0.228up to date
 serde_bytes^0.110.11.19up to date
 time ⚠️^0.30.3.53maybe insecure
 crossbeam-channel^0.50.5.15up to date

Crate webrender_build

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 bitflags^22.13.0up to date
 lazy_static^11.5.0up to date
 serde^1.01.0.228up to date

Crate wr_azul_glyph_rasterizer

Dependencies

(8 total, all up-to-date)

CrateRequiredLatestStatus
 euclid^0.22.100.22.14up to date
 rayon^11.12.0up to date
 smallvec^1.15.11.15.2up to date
 tracy-rs^0.1.20.1.2up to date
 log^0.40.4.33up to date
 lazy_static^11.5.0up to date
 fxhash^0.2.10.2.1up to date
 agg-rust-azul^1.0.21.0.2up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 env_logger^0.110.11.11up to date

Security Vulnerabilities

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

rustls: rustls network-reachable panic in `Acceptor::accept`

RUSTSEC-2024-0399

A bug introduced in rustls 0.23.13 leads to a panic if the received TLS ClientHello is fragmented. Only servers that use rustls::server::Acceptor::accept() are affected.

Servers that use tokio-rustls's LazyConfigAcceptor API are affected.

Servers that use tokio-rustls's TlsAcceptor API are not affected.

Servers that use rustls-ffi's rustls_acceptor_accept API are affected.

time: Denial of Service via Stack Exhaustion

RUSTSEC-2026-0009

Impact

When user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario.

Patches

A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.

Workarounds

Limiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of the stack consumed would be at most a factor of the length of the input.

pyo3: Out-of-bounds read in `nth` / `nth_back` for `PyList` and `PyTuple` iterators

RUSTSEC-2026-0176

PyO3 0.24.0 added optimized implementations of Iterator::nth and DoubleEndedIterator::nth_back for the BoundListIterator and BoundTupleIterator types. These implementations computed the target index using unchecked usize addition (index + n) before bounds-checking against the sequence length, then read the element via get_item_unchecked.

In nth methods, a sufficiently large n (combined with a non-zero internal index) could cause the addition to overflow and wrap around, producing a small "target index" that passed the bounds check and enabling reads at the front of the list or tuple of elements previously yielded by the iterator.

In nth_back methods, a sufficiently large n could cause underflow in a similar fashion, however would instead allow reads of arbitrary memory past the end of the list or tuple storage.

PyO3 0.29.0 has corrected these methods to use checked arithmetic at the positions which could be at risk of overflow.

pyo3: Missing `Sync` bound on `PyCFunction::new_closure` closures

RUSTSEC-2026-0177

PyCFunction::new_closure (and the temporary new_closure_bound complement in the 0.21–0.22 series) required the supplied closure to be Send + 'static but not Sync. The resulting PyCFunction is a Python callable that can be invoked from any Python thread, which means the closure may be called concurrently from multiple threads, and needs a Sync bound to prevent possible data races.

The problem exists under all Python versions but is particularly vulnerable under the newer free-threaded Python variant, which do not have serial execution imposed by the Global Interpreter Lock. Under releases protected by the GIL, the ability to "detach" from the Python interpreter temporarily inside the closure (e.g. by Python::detach) makes it possible for interleaved and/or concurrent execution of various portions of the closure.

PyO3 0.29.0 added a Sync bound to close this thread-safety bug.