Deps.rs

kamu-data / kamu-engine-risingwave

[![dependency status](https://deps.rs/repo/github/kamu-data/kamu-engine-risingwave/status.svg)](https://deps.rs/repo/github/kamu-data/kamu-engine-risingwave)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate risingwave_batch

Dependencies

(16 total, all up-to-date)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 assert_matches^11.5.0up to date
 async-recursion^11.1.1up to date
 async-trait^0.10.1.89up to date
 either^11.15.0up to date
 futures^0.30.3.32up to date
 futures-util^0.30.3.32up to date
 memcomparable^0.20.2.0up to date
 panic-message^0.30.3.0up to date
 prometheus^0.140.14.0up to date
 scopeguard^11.2.0up to date
 serde_json^11.0.149up to date
 madsim-tokio^0.20.2.30up to date
 tokio-postgres^0.70.7.17up to date
 tracing^0.10.1.44up to date
 twox-hash^22.1.2up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 tempfile^33.27.0up to date

Crate risingwave_batch_executors

Dependencies

(12 total, 1 possibly insecure)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 assert_matches^11.5.0up to date
 async-trait^0.10.1.89up to date
 bytes ⚠️^11.11.1maybe insecure
 either^11.15.0up to date
 futures^0.30.3.32up to date
 futures-util^0.30.3.32up to date
 prometheus^0.140.14.0up to date
 madsim-tokio^0.20.2.30up to date
 tokio-postgres^0.70.7.17up to date
 tracing^0.10.1.44up to date
 uuid^11.23.1up to date

Dev dependencies

(2 total, 1 outdated)

CrateRequiredLatestStatus
 allocator-api2^0.20.4.0out of date
 tempfile^33.27.0up to date

Crate risingwave_bench

Dependencies

(6 total, all up-to-date)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 futures^0.30.3.32up to date
 plotters^0.3.50.3.7up to date
 serde_yaml^0.90.9.34+deprecatedup to date
 madsim-tokio^0.20.2.30up to date
 nix^0.310.31.2up to date

Crate risingwave_cmd

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 madsim-tokio^0.20.2.30up to date

Crate risingwave_cmd_all

Dependencies

(8 total, 2 outdated)

CrateRequiredLatestStatus
 console^0.160.16.3up to date
 const-str^1.11.1.0up to date
 home^0.50.5.12up to date
 shell-words^1.1.01.1.1up to date
 strum^0.270.28.0out of date
 strum_macros^0.270.28.0out of date
 madsim-tokio^0.20.2.30up to date
 tracing^0.10.1.44up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 expect-test^11.5.1up to date

Build dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 vergen^89.1.0out of date

Crate risingwave_common

Dependencies

(64 total, 11 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 ahash^0.80.8.12up to date
 allocator-api2^0.20.4.0out of date
 anyhow^11.0.102up to date
 arrow-array^5758.1.0out of date
 arrow-buffer^5758.1.0out of date
 arrow-cast^5758.1.0out of date
 arrow-schema^5758.1.0out of date
 async-trait^0.10.1.89up to date
 auto_impl^11.3.0up to date
 bitfield-struct^0.120.13.0out of date
 bitflags^22.11.1up to date
 byteorder^11.5.0up to date
 bytes ⚠️^11.11.1maybe insecure
 chrono-tz^0.100.10.4up to date
 comfy-table^77.2.2up to date
 crc32fast^11.5.0up to date
 easy-ext^11.0.3up to date
 educe^0.60.6.0up to date
 either^11.15.0up to date
 enum-as-inner^0.70.7.0up to date
 enumflags2^0.7.80.7.12up to date
 ethnum^11.5.3up to date
 fixedbitset^0.50.5.7up to date
 futures^0.30.3.32up to date
 hex^0.4.30.4.3up to date
 http^11.4.0up to date
 humantime^2.32.3.0up to date
 ipnet^2.122.12.0up to date
 itoa^1.01.0.18up to date
 jiff^0.1.150.2.24out of date
 memcomparable^0.20.2.0up to date
 num-integer^0.10.1.46up to date
 num-traits^0.20.2.19up to date
 parse-display^0.100.10.0up to date
 paste^11.0.15up to date
 postgres-types^0.2.60.2.13up to date
 prometheus^0.140.14.0up to date
 reqwest^0.12.20.13.3out of date
 rust_decimal^11.41.0up to date
 ryu^1.01.0.23up to date
 serde-content^0.1.20.1.2up to date
 serde_bytes^0.110.11.19up to date
 serde_default^0.20.2.0up to date
 serde_json^11.0.149up to date
 serde_with^33.18.0up to date
 smallbitset^0.7.10.7.1up to date
 speedate^0.15.00.17.0out of date
 stacker^0.10.1.24up to date
 static_assertions^11.1.0up to date
 strum^0.270.28.0out of date
 strum_macros^0.270.28.0out of date
 sysinfo^0.380.38.4up to date
 tinyvec^11.11.0up to date
 madsim-tokio^0.20.2.30up to date
 tokio-retry^0.30.3.1up to date
 tracing^0.10.1.44up to date
 tracing-futures^0.20.2.5up to date
 twox-hash^22.1.2up to date
 unit-prefix^0.5.20.5.2up to date
 url^22.5.8up to date
 uuid^11.23.1up to date
 http-body^1.0.11.0.1up to date
 tower-layer^0.3.30.3.3up to date
 tower-service^0.3.30.3.3up to date

Dev dependencies

(6 total, all up-to-date)

CrateRequiredLatestStatus
 coarsetime^0.10.1.37up to date
 expect-test^11.5.1up to date
 more-asserts^0.30.3.1up to date
 pretty_assertions^11.4.1up to date
 rusty-fork^0.30.3.1up to date
 tempfile^33.27.0up to date

Crate risingwave_common_service

Dependencies

(8 total, all up-to-date)

CrateRequiredLatestStatus
 async-trait^0.10.1.89up to date
 futures^0.30.3.32up to date
 http^11.4.0up to date
 prometheus^0.140.14.0up to date
 madsim-tokio^0.20.2.30up to date
 tower^0.50.5.3up to date
 tower-http^0.60.6.8up to date
 tracing^0.10.1.44up to date

Crate risingwave_common_estimate_size

Dependencies

(6 total, 1 possibly insecure)

CrateRequiredLatestStatus
 bytes ⚠️^11.11.1maybe insecure
 educe^0.60.6.0up to date
 ethnum^11.5.3up to date
 fixedbitset^0.50.5.7up to date
 rust_decimal^11.41.0up to date
 serde_json^11.0.149up to date

Crate risingwave-fields-derive

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 proc-macro2^11.0.106up to date
 quote^11.0.45up to date
 syn^22.0.117up to date

Dev dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 expect-test^11.5.1up to date
 indoc^22.0.7up to date
 prettyplease^0.20.2.37up to date

Crate risingwave_common_heap_profiling

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 pprof^0.150.15.0up to date
 madsim-tokio^0.20.2.30up to date
 tracing^0.10.1.44up to date

Crate risingwave_common_log

Dev dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 madsim-tokio^0.20.2.30up to date
 tracing^0.10.1.44up to date
 tracing-subscriber^0.3.200.3.23up to date

Crate risingwave_common_metrics

Dependencies

(18 total, 1 possibly insecure)

CrateRequiredLatestStatus
 auto_impl^11.3.0up to date
 bytes ⚠️^11.11.1maybe insecure
 cfg-or-panic^0.20.2.1up to date
 easy-ext^11.0.3up to date
 futures^0.30.3.32up to date
 http^11.4.0up to date
 hyper^11.9.0up to date
 hyper-util^0.10.1.20up to date
 prometheus^0.140.14.0up to date
 madsim-tokio^0.20.2.30up to date
 tower-layer^0.3.30.3.3up to date
 tower-service^0.3.30.3.3up to date
 tracing^0.10.1.44up to date
 tracing-subscriber^0.3.200.3.23up to date
 http-body^11.0.1up to date
 libc^0.20.2.186up to date
 procfs^0.180.18.0up to date
 mach2^0.60.6.0up to date

Crate risingwave_telemetry_event

Dependencies

(3 total, 1 outdated)

CrateRequiredLatestStatus
 reqwest^0.12.20.13.3out of date
 madsim-tokio^0.20.2.30up to date
 tracing^0.10.1.44up to date

Crate risingwave_compute

Dependencies

(11 total, all up-to-date)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 async-trait^0.10.1.89up to date
 either^11.15.0up to date
 futures^0.30.3.32up to date
 http^11.4.0up to date
 maplit^1.0.21.0.2up to date
 prometheus^0.140.14.0up to date
 serde_json^11.0.149up to date
 madsim-tokio^0.20.2.30up to date
 tower^0.50.5.3up to date
 tracing^0.10.1.44up to date

Dev dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 tempfile^33.27.0up to date
 tokio-retry^0.30.3.1up to date

Crate risingwave_connector

Dependencies

(63 total, 7 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 assert_matches^11.5.0up to date
 async-compression^0.4.50.4.42up to date
 async-nats^0.460.47.0out of date
 async-trait^0.10.1.89up to date
 auto_impl^11.3.0up to date
 aws-msk-iam-sasl-signer^1.0.11.0.1up to date
 aws-smithy-types-convert^0.60.10.60.14up to date
 base64^0.220.22.1up to date
 byteorder^11.5.0up to date
 bytes ⚠️^11.11.1maybe insecure
 cfg-if^11.0.4up to date
 cfg-or-panic^0.20.2.1up to date
 csv^1.41.4.0up to date
 duration-str^0.18.00.21.0out of date
 easy-ext^11.0.3up to date
 either^11.15.0up to date
 elasticsearch^8.17.0-alpha.1N/Aup to date
 enum-as-inner^0.70.7.0up to date
 futures^0.30.3.32up to date
 gcp-bigquery-client^0.28.00.28.0up to date
 glob^0.30.3.3up to date
 gcloud-bigquery^1.41.6.0up to date
 gcloud-gax^11.4.0up to date
 gcloud-googleapis^11.3.0up to date
 gcloud-pubsub^1.51.7.0up to date
 maplit^1.0.21.0.2up to date
 moka^0.12.100.12.15up to date
 mongodb^3.5.13.6.0up to date
 mysql_common^0.350.37.1out of date
 nexmark^0.20.2.0up to date
 num-bigint^0.40.4.6up to date
 opensearch^2.3.02.4.0up to date
 openssl^0.10.720.10.78up to date
 parquet^5758.1.0out of date
 paste^11.0.15up to date
 phf^0.130.13.1up to date
 postgres-openssl^0.5.00.5.3up to date
 prometheus^0.140.14.0up to date
 prost^0.13.40.14.3out of date
 pulsar^6.76.7.2up to date
 rumqttc^0.25.00.25.1up to date
 rust_decimal^11.41.0up to date
 rustls-native-certs^0.80.8.3up to date
 rustls-pki-types^11.14.1up to date
 scopeguard^11.2.0up to date
 sea-schema^0.160.16.2up to date
 serde_json^11.0.149up to date
 serde_with^33.18.0up to date
 simd-json^0.17.00.17.0up to date
 strum^0.270.28.0out of date
 strum_macros^0.270.28.0out of date
 tempfile^33.27.0up to date
 time^0.3.470.3.47up to date
 madsim-tokio^0.20.2.30up to date
 tokio-postgres^0.70.7.17up to date
 tokio-retry^0.30.3.1up to date
 tracing^0.10.1.44up to date
 typed-builder^0.230.23.2up to date
 url^22.5.8up to date
 urlencoding^22.1.3up to date
 uuid^11.23.1up to date
 yup-oauth2^12.1.212.1.2up to date

Dev dependencies

(14 total, 1 possibly insecure)

CrateRequiredLatestStatus
 assert_matches^11.5.0up to date
 expect-test^11.5.1up to date
 fs-err^33.3.0up to date
 indoc^22.0.7up to date
 paste^11.0.15up to date
 pretty_assertions^11.4.1up to date
 proc-macro2^1.01.0.106up to date
 quote^11.0.45up to date
 serde_yaml^0.90.9.34+deprecatedup to date
 syn^22.0.117up to date
 tempfile^33.27.0up to date
 tracing-subscriber ⚠️^0.30.3.23maybe insecure
 tracing-test^0.20.2.6up to date
 walkdir^22.5.0up to date

Build dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 chrono-tz^0.100.10.4up to date

Crate risingwave_connector_codec

Dependencies

(11 total, 1 outdated)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 bigdecimal^0.4.70.4.10up to date
 easy-ext^11.0.3up to date
 num-bigint^0.40.4.6up to date
 protox^0.9.10.9.1up to date
 reqwest^0.12.20.13.3out of date
 rust_decimal^11.41.0up to date
 serde_json^1.01.0.149up to date
 time^0.3.470.3.47up to date
 tracing^0.10.1.44up to date
 url^22.5.8up to date

Dev dependencies

(4 total, all up-to-date)

CrateRequiredLatestStatus
 expect-test^11.5.1up to date
 fs-err^33.3.0up to date
 hex^0.40.4.3up to date
 madsim-tokio^0.20.2.30up to date

Build dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 prost-build^0.14.30.14.3up to date

Crate with_options

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 quote^11.0.45up to date
 syn^22.0.117up to date

Crate risingwave_ctl

Dependencies

(12 total, 1 possibly insecure)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 bytes ⚠️^11.11.1maybe insecure
 comfy-table^77.2.2up to date
 futures^0.30.3.32up to date
 hex^0.40.4.3up to date
 inquire^0.9.10.9.4up to date
 serde_json^11.0.149up to date
 serde_yaml^0.9.250.9.34+deprecatedup to date
 size^0.50.5.0up to date
 madsim-tokio^0.20.2.30up to date
 tracing^0.10.1.44up to date
 uuid^11.23.1up to date

Crate risingwave_dml

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 futures^0.30.3.32up to date
 madsim-tokio^0.20.2.30up to date
 tracing^0.10.1.44up to date

Dev dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 assert_matches^11.5.0up to date
 paste^11.0.15up to date
 tempfile^33.27.0up to date

Crate risingwave_error

Dependencies

(5 total, 1 outdated)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 bincode^13.0.0out of date
 easy-ext^11.0.3up to date
 serde-error^0.10.1.3up to date
 tracing^0.10.1.44up to date

Crate risingwave_expr

Dependencies

(18 total, all up-to-date)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 async-trait^0.10.1.89up to date
 auto_impl^11.3.0up to date
 const-currying^0.0.50.0.5up to date
 downcast-rs^2.02.0.2up to date
 easy-ext^11.0.3up to date
 educe^0.60.6.0up to date
 either^11.15.0up to date
 enum-as-inner^0.70.7.0up to date
 futures^0.30.3.32up to date
 futures-util^0.30.3.32up to date
 num-traits^0.20.2.19up to date
 parse-display^0.100.10.0up to date
 paste^11.0.15up to date
 prometheus^0.140.14.0up to date
 static_assertions^11.1.0up to date
 madsim-tokio^0.20.2.30up to date
 tracing^0.10.1.44up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 expect-test^11.5.1up to date

Crate risingwave_expr_impl

Dependencies

(28 total, 7 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 aho-corasick^11.1.4up to date
 anyhow^11.0.102up to date
 async-trait^0.10.1.89up to date
 bytes ⚠️^11.11.1maybe insecure
 chrono-tz^0.100.10.4up to date
 constant_time_eq^0.40.5.0out of date
 crc32c^0.60.6.8up to date
 crc32fast^11.5.0up to date
 educe^0.60.6.0up to date
 fancy-regex^0.170.18.0out of date
 futures^0.30.3.32up to date
 futures-util^0.30.3.32up to date
 hex^0.40.4.3up to date
 hmac^0.120.13.0out of date
 md-5^0.10.60.11.0out of date
 moka^0.12.00.12.15up to date
 num-traits^0.20.2.19up to date
 openssl^0.10.720.10.78up to date
 rust_decimal^11.41.0up to date
 self_cell^1.2.01.2.2up to date
 serde_json^11.0.149up to date
 sha1^0.100.11.0out of date
 sha2^0.100.11.0out of date
 sql-json-path^0.1.10.1.1up to date
 madsim-tokio^0.20.2.30up to date
 tonic^0.12.30.14.5out of date
 tracing^0.10.1.44up to date
 zstd^0.130.13.3up to date

Dev dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 expect-test^11.5.1up to date
 hex-literal^1.1.01.1.0up to date
 madsim-tokio^0.20.2.30up to date

Crate risingwave_expr_macro

Dependencies

(4 total, all up-to-date)

CrateRequiredLatestStatus
 proc-macro-error^11.0.4up to date
 proc-macro2^11.0.106up to date
 quote^11.0.45up to date
 syn^22.0.117up to date

Crate risingwave_frontend

Dependencies

(49 total, 8 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 async-recursion^1.1.01.1.1up to date
 async-trait^0.10.1.89up to date
 auto_impl^11.3.0up to date
 base64^0.220.22.1up to date
 bk-tree^0.5.00.5.0up to date
 bytes ⚠️^11.11.1maybe insecure
 datafusion^5253.1.0out of date
 datafusion-common^5253.1.0out of date
 downcast-rs^2.02.0.2up to date
 dyn-clone^1.0.141.0.20up to date
 easy-ext^11.0.3up to date
 educe^0.60.6.0up to date
 either^11.15.0up to date
 enum-as-inner^0.70.7.0up to date
 fancy-regex^0.17.00.18.0out of date
 fixedbitset^0.50.5.7up to date
 futures^0.30.3.32up to date
 iana-time-zone^0.10.1.65up to date
 maplit^11.0.2up to date
 md-5^0.10.60.11.0out of date
 memcomparable^0.20.2.0up to date
 mysql_common^0.350.37.1out of date
 num-integer^0.10.1.46up to date
 parse-display^0.100.10.0up to date
 paste^11.0.15up to date
 percent-encoding^2.3.12.3.2up to date
 petgraph^0.80.8.3up to date
 postgres-types^0.2.60.2.13up to date
 pretty-xmlish^0.1.130.1.13up to date
 pretty_assertions^11.4.1up to date
 prometheus^0.140.14.0up to date
 prometheus-http-query^0.8.30.8.3up to date
 quick-xml^0.390.39.2up to date
 rand^0.90.10.1out of date
 scopeguard^1.2.01.2.0up to date
 serde_json^11.0.149up to date
 serde_yaml^0.90.9.34+deprecatedup to date
 sha2^0.10.70.11.0out of date
 speedate^0.15.00.17.0out of date
 static_assertions^11.1.0up to date
 tempfile^33.27.0up to date
 madsim-tokio^0.20.2.30up to date
 tokio-postgres^0.70.7.17up to date
 tower^0.50.5.3up to date
 tower-http^0.60.6.8up to date
 tracing^0.10.1.44up to date
 url^2.5.02.5.8up to date
 uuid^11.23.1up to date

Dev dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 assert_matches^11.5.0up to date
 expect-test^11.5.1up to date
 tempfile^33.27.0up to date

Crate risingwave_frontend_macro

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 proc-macro2^11.0.106up to date
 quote^11.0.45up to date
 syn^22.0.117up to date

Crate risingwave_planner_test

Dependencies

(7 total, all up-to-date)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 expect-test^11.5.1up to date
 paste^11.0.15up to date
 serde_with^33.18.0up to date
 serde_yaml^0.90.9.34+deprecatedup to date
 madsim-tokio^0.20.2.30up to date
 walkdir^22.5.0up to date

Dev dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 libtest-mimic^0.80.8.2up to date
 tempfile^33.27.0up to date

Crate risingwave_java_binding

Dependencies

(8 total, 1 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 bytes ⚠️^11.11.1maybe insecure
 cfg-or-panic^0.20.2.1up to date
 futures^0.30.3.32up to date
 jni^0.21.10.22.4out of date
 serde_json^1.01.0.149up to date
 madsim-tokio^0.20.2.30up to date
 tracing^0.10.1.44up to date

Crate risingwave_jni_core

Dependencies

(8 total, 1 possibly insecure)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 bytes ⚠️^11.11.1maybe insecure
 cfg-or-panic^0.20.2.1up to date
 fs-err^33.3.0up to date
 futures^0.30.3.32up to date
 paste^11.0.15up to date
 madsim-tokio^0.20.2.30up to date
 tracing^0.10.1.44up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 expect-test^11.5.1up to date

Crate risingwave_license

Dependencies

(4 total, 2 outdated)

CrateRequiredLatestStatus
 humansize^2.1.32.1.3up to date
 strum^0.270.28.0out of date
 tracing^0.10.1.44up to date
 typify^0.5.00.6.2out of date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 expect-test^11.5.1up to date

Crate risingwave_meta

Dependencies

(32 total, 1 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 assert_matches^11.5.0up to date
 async-trait^0.10.1.89up to date
 base64-url^3.0.03.0.3up to date
 bytes ⚠️^11.11.1maybe insecure
 comfy-table^77.2.2up to date
 crepe^0.20.2.0up to date
 easy-ext^11.0.3up to date
 educe^0.60.6.0up to date
 either^11.15.0up to date
 enum-as-inner^0.70.7.0up to date
 fail^0.50.5.1up to date
 futures^0.30.3.32up to date
 hex^0.40.4.3up to date
 http^11.4.0up to date
 lz4^1.28.01.28.1up to date
 maplit^1.0.21.0.2up to date
 notify^88.2.0up to date
 pretty_assertions^11.4.1up to date
 prometheus^0.140.14.0up to date
 prometheus-http-query^0.8.30.8.3up to date
 scopeguard^1.2.01.2.0up to date
 serde_json^1.0.1131.0.149up to date
 strum^0.270.28.0out of date
 madsim-tokio^0.20.2.30up to date
 tokio-retry^0.30.3.1up to date
 tower^0.50.5.3up to date
 tracing^0.10.1.44up to date
 twox-hash^2.1.02.1.2up to date
 uuid^11.23.1up to date
 zstd^0.130.13.3up to date
 tower-http^0.60.6.8up to date

Dev dependencies

(4 total, 1 possibly insecure)

CrateRequiredLatestStatus
 assert_matches^11.5.0up to date
 expect-test^1.51.5.1up to date
 tempfile^33.27.0up to date
 tracing-subscriber ⚠️^0.30.3.23maybe insecure

Crate risingwave_meta_dashboard

Dependencies

(8 total, 1 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 axum-embed^0.10.1.0up to date
 bytes ⚠️^11.11.1maybe insecure
 mime_guess^22.0.5up to date
 reqwest^0.12.20.13.3out of date
 rust-embed^88.11.0up to date
 tracing^0.10.1.44up to date
 url^22.5.8up to date

Dev dependencies

(2 total, 1 possibly insecure)

CrateRequiredLatestStatus
 tokio^1.441.52.1up to date
 tracing-subscriber ⚠️^0.30.3.23maybe insecure

Build dependencies

(4 total, all up-to-date)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 cargo-emit^0.20.2.1up to date
 dircpy^0.30.3.20up to date
 npm_rs^11.0.0up to date

Crate risingwave_meta_model

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 serde_json^11.0.149up to date

Crate risingwave_meta_model_migration

Dependencies

(4 total, all up-to-date)

CrateRequiredLatestStatus
 easy-ext^11.0.3up to date
 serde_json^11.0.149up to date
 madsim-tokio^0.20.2.30up to date
 uuid^11.23.1up to date

Crate risingwave_meta_node

Dependencies

(7 total, all up-to-date)

CrateRequiredLatestStatus
 educe^0.60.6.0up to date
 hex^0.40.4.3up to date
 prometheus-http-query^0.80.8.3up to date
 redact^0.1.50.1.11up to date
 serde_json^11.0.149up to date
 madsim-tokio^0.20.2.30up to date
 tracing^0.10.1.44up to date

Crate risingwave_meta_service

Dependencies

(6 total, all up-to-date)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 async-trait^0.10.1.89up to date
 futures^0.30.3.32up to date
 serde_json^11.0.149up to date
 madsim-tokio^0.20.2.30up to date
 tracing^0.10.1.44up to date

Crate risingwave_object_store

Dependencies

(12 total, 1 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 async-trait^0.10.1.89up to date
 madsim-aws-sdk-s3^0.50.5.0+1up to date
 bytes ⚠️^11.11.1maybe insecure
 crc32fast^11.5.0up to date
 fail^0.50.5.1up to date
 futures^0.30.3.32up to date
 prometheus^0.140.14.0up to date
 reqwest^0.12.20.13.3out of date
 spin^0.100.10.0up to date
 madsim-tokio^0.20.2.30up to date
 tokio-retry^0.30.3.1up to date
 tracing^0.10.1.44up to date

Crate kamu-engine-risingwave

Dependencies

(16 total, 5 possibly insecure)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 indoc^22.0.7up to date
 chrono ⚠️^0.40.4.44maybe insecure
 nix ⚠️^00.31.2maybe insecure
 serde^11.0.228up to date
 serde_json^11.0.149up to date
 serde_with^33.18.0up to date
 tar ⚠️^0.40.4.45maybe insecure
 tokio ⚠️^11.52.1maybe insecure
 tokio-postgres^0.70.7.17up to date
 tokio-stream^0.10.1.18up to date
 tonic^0.140.14.5up to date
 tracing^0.10.1.44up to date
 tracing-bunyan-formatter^0.30.3.10up to date
 tracing-log^0.20.2.0up to date
 tracing-subscriber ⚠️^0.30.3.23maybe insecure

Dev dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 tempfile^33.27.0up to date
 test-log^0.20.2.20up to date

Crate risingwave_pb

Dependencies

(6 total, 1 outdated)

CrateRequiredLatestStatus
 enum-as-inner^0.70.7.0up to date
 paste^11.0.15up to date
 pbjson^0.90.9.0up to date
 strum^0.270.28.0out of date
 tonic-prost^0.140.14.5up to date
 tracing^0.10.1.44up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 static_assertions^11.1.0up to date

Build dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 fs-err^3.23.3.0up to date
 pbjson-build^0.90.9.0up to date
 walkdir^22.5.0up to date

Crate prost-helpers

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 proc-macro2^11.0.106up to date
 quote^11.0.45up to date
 syn^22.0.117up to date

Crate risedev

Dependencies

(17 total, 2 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 console^0.160.16.3up to date
 fs-err^3.2.23.3.0up to date
 glob^0.30.3.3up to date
 gcloud-pubsub^1.51.7.0up to date
 indicatif^0.180.18.4up to date
 log^0.40.4.29up to date
 panic-message^0.30.3.0up to date
 reqwest^0.12.20.13.3out of date
 serde_json^11.0.149up to date
 serde_yaml^0.90.9.34+deprecatedup to date
 tempfile^33.27.0up to date
 madsim-tokio^0.20.2.30up to date
 tracing^0.10.1.44up to date
 tracing-subscriber ⚠️^0.30.3.23maybe insecure
 url^22.5.8up to date
 yaml-rust2^0.10.30.11.0out of date

Crate risedev-config

Dependencies

(5 total, all up-to-date)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 console^0.160.16.3up to date
 dialoguer^0.120.12.0up to date
 enum-iterator^22.3.0up to date
 fs-err^3.2.23.3.0up to date

Crate risingwave_rpc_client

Dependencies

(13 total, all up-to-date)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 async-trait^0.10.1.89up to date
 easy-ext^11.0.3up to date
 either^1.15.01.15.0up to date
 futures^0.30.3.32up to date
 http^11.4.0up to date
 moka^0.12.00.12.15up to date
 paste^11.0.15up to date
 static_assertions^11.1.0up to date
 madsim-tokio^0.20.2.30up to date
 tokio-retry^0.30.3.1up to date
 tower^0.50.5.3up to date
 tracing^0.10.1.44up to date

Crate risingwave_sqlparser

Dependencies

(4 total, 1 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 task-local^0.10.1.1up to date
 tracing^0.10.1.44up to date
 tracing-subscriber ⚠️^0.30.3.23maybe insecure
 winnow^0.7.31.0.2out of date

Dev dependencies

(7 total, all up-to-date)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 console^0.160.16.3up to date
 libtest-mimic^0.80.8.2up to date
 matches^0.10.1.10up to date
 serde_with^33.18.0up to date
 serde_yaml^0.90.9.34+deprecatedup to date
 walkdir^22.5.0up to date

Crate risingwave_storage

Dependencies

(30 total, 1 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 ahash^0.80.8.12up to date
 anyhow^11.0.102up to date
 async-trait^0.10.1.89up to date
 bytes ⚠️^11.11.1maybe insecure
 derive_builder^0.200.20.2up to date
 dyn-clone^1.0.141.0.20up to date
 either^11.15.0up to date
 enum-as-inner^0.70.7.0up to date
 fail^0.50.5.1up to date
 futures^0.30.3.32up to date
 hex^0.40.4.3up to date
 libc^0.20.2.186up to date
 lz4^1.28.01.28.1up to date
 memcomparable^0.20.2.0up to date
 moka^0.12.00.12.15up to date
 more-asserts^0.30.3.1up to date
 num-integer^0.10.1.46up to date
 parquet^5758.1.0out of date
 prometheus^0.140.14.0up to date
 scopeguard^11.2.0up to date
 serde_bytes^0.110.11.19up to date
 sled^0.34.70.34.7up to date
 spin^0.100.10.0up to date
 tempfile^33.27.0up to date
 madsim-tokio^0.20.2.30up to date
 tokio-retry^0.30.3.1up to date
 tracing^0.10.1.44up to date
 xorf^0.12.00.12.0up to date
 xxhash-rust^0.8.70.8.15up to date
 zstd^0.130.13.3up to date

Dev dependencies

(3 total, 1 outdated)

CrateRequiredLatestStatus
 bincode^13.0.0out of date
 expect-test^11.5.1up to date
 uuid^11.23.1up to date

Crate risingwave_backup

Dependencies

(6 total, 1 possibly insecure)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 async-trait^0.10.1.89up to date
 bytes ⚠️^11.11.1maybe insecure
 serde_json^11.0.149up to date
 madsim-tokio^0.20.2.30up to date
 twox-hash^22.1.2up to date

Crate risingwave_compactor

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 async-trait^0.10.1.89up to date
 madsim-tokio^0.20.2.30up to date
 tracing^0.10.1.44up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 tokio-retry^0.30.3.1up to date

Crate risingwave_hummock_sdk

Dependencies

(3 total, 1 possibly insecure)

CrateRequiredLatestStatus
 bytes ⚠️^11.11.1maybe insecure
 hex^0.40.4.3up to date
 tracing^0.10.1.44up to date

Crate risingwave_hummock_test

Dependencies

(6 total, 1 possibly insecure)

CrateRequiredLatestStatus
 async-trait^0.10.1.89up to date
 bytes ⚠️^11.11.1maybe insecure
 fail^0.50.5.1up to date
 futures^0.30.3.32up to date
 serial_test^3.33.4.0up to date
 madsim-tokio^0.20.2.30up to date

Dev dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 expect-test^11.5.1up to date
 futures^0.30.3.32up to date

Crate risingwave_stream

Dependencies

(30 total, 2 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 async-recursion^11.1.1up to date
 async-stream^0.30.3.6up to date
 async-trait^0.10.1.89up to date
 bytes ⚠️^11.11.1maybe insecure
 cfg-if^11.0.4up to date
 dhat^0.30.3.3up to date
 educe^0.60.6.0up to date
 either^11.15.0up to date
 enum-as-inner^0.70.7.0up to date
 fail^0.50.5.1up to date
 futures^0.30.3.32up to date
 glob^0.30.3.3up to date
 hytra^0.1.20.1.2up to date
 indexmap^22.14.0up to date
 maplit^1.0.21.0.2up to date
 memcomparable^0.20.2.0up to date
 moka^0.12.00.12.15up to date
 multimap^0.100.10.1up to date
 paste^11.0.15up to date
 pin-project^11.1.11up to date
 prometheus^0.140.14.0up to date
 serde_json^11.0.149up to date
 static_assertions^11.1.0up to date
 strum_macros^0.270.28.0out of date
 madsim-tokio^0.20.2.30up to date
 tokio-metrics^0.4.00.5.0out of date
 tokio-retry^0.30.3.1up to date
 tracing^0.10.1.44up to date
 url^22.5.8up to date

Dev dependencies

(6 total, all up-to-date)

CrateRequiredLatestStatus
 assert_matches^11.5.0up to date
 expect-test^11.5.1up to date
 pretty_assertions^11.4.1up to date
 serde_yaml^0.90.9.34+deprecatedup to date
 tracing-subscriber^0.3.200.3.23up to date
 tracing-test^0.20.2.6up to date

Crate risingwave_mem_table_spill_test

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 madsim-tokio^0.20.2.30up to date

Crate risingwave_test_runner

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 fail^0.50.5.1up to date

Crate risingwave_compaction_test

Dependencies

(4 total, 1 possibly insecure)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 bytes ⚠️^11.11.1maybe insecure
 madsim-tokio^0.20.2.30up to date
 tracing^0.10.1.44up to date

Crate risingwave_e2e_extended_mode_test

Dependencies

(7 total, 1 outdated)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 pg_interval^0.40.5.0out of date
 rust_decimal^1.401.41.0up to date
 madsim-tokio^0.20.2.30up to date
 tokio-postgres^0.70.7.17up to date
 tracing^0.10.1.44up to date
 tracing-subscriber^0.3.200.3.23up to date

Crate risingwave_mysql_test

Dev dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 futures^0.30.3.32up to date
 madsim-tokio^0.20.2.30up to date

Crate risingwave_regress_test

Dependencies

(6 total, 1 outdated)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 path-absolutize^3.13.1.1up to date
 similar^23.1.0out of date
 madsim-tokio^0.20.2.30up to date
 tracing^0.10.1.44up to date
 tracing-subscriber^0.3.200.3.23up to date

Crate risingwave_simulation

Dependencies

(22 total, 1 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 anyhow^1.01.0.102up to date
 async-trait^0.10.1.89up to date
 cfg-or-panic^0.20.2.1up to date
 console^0.160.16.3up to date
 expect-test^11.5.1up to date
 fail^0.50.5.1up to date
 futures^0.30.3.32up to date
 glob^0.30.3.3up to date
 maplit^11.0.2up to date
 paste^11.0.15up to date
 pin-project^1.11.1.11up to date
 pretty_assertions^11.4.1up to date
 rand_chacha^0.90.10.0out of date
 serde_json^1.0.1071.0.149up to date
 shell-words^1.1.01.1.1up to date
 sqllogictest^0.29.10.29.1up to date
 tempfile^33.27.0up to date
 madsim-tokio^0.20.2.30up to date
 tokio-postgres^0.70.7.17up to date
 tracing^0.10.1.44up to date
 tracing-subscriber ⚠️^0.30.3.23maybe insecure
 uuid*1.23.1up to date

Crate risingwave_sqlsmith

Dependencies

(11 total, 4 outdated)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 console^0.160.16.3up to date
 rand^0.90.10.1out of date
 rand_chacha^0.90.10.0out of date
 serde_yaml^0.90.9.34+deprecatedup to date
 similar^2.7.03.1.0out of date
 strum^0.270.28.0out of date
 madsim-tokio^0.20.2.30up to date
 tokio-postgres^0.70.7.17up to date
 tracing^0.10.1.44up to date
 tracing-subscriber^0.3.200.3.23up to date

Dev dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 expect-test^11.5.1up to date
 libtest-mimic^0.80.8.2up to date

Crate risingwave_state_cleaning_test

Dependencies

(7 total, all up-to-date)

CrateRequiredLatestStatus
 anyhow^11.0.102up to date
 futures^0.30.3.32up to date
 serde_with^33.18.0up to date
 madsim-tokio^0.20.2.30up to date
 tokio-postgres^0.70.7.17up to date
 toml^1.01.1.2+spec-1.1.0up to date
 tracing^0.10.1.44up to date

Crate delta_btree_map

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 educe^0.60.6.0up to date
 enum-as-inner^0.70.7.0up to date

Crate rw_futures_util

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 futures^0.30.3.32up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 tokio^1.441.52.1up to date

Crate rw_iter_util

No external dependencies! 🙌

Crate openai_embedding_service

Dependencies

(4 total, 1 possibly insecure)

CrateRequiredLatestStatus
 serde_json^11.0.149up to date
 madsim-tokio^0.20.2.30up to date
 tracing^0.10.1.44up to date
 tracing-subscriber ⚠️^0.30.3.23maybe insecure

Crate pgwire

Dependencies

(19 total, 2 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 anyhow^1.01.0.102up to date
 byteorder^1.51.5.0up to date
 bytes ⚠️^11.11.1maybe insecure
 futures^0.30.3.32up to date
 ldap3^0.12.10.12.1up to date
 openssl^0.10.720.10.78up to date
 panic-message^0.30.3.0up to date
 peekable^0.40.6.1out of date
 postgres-types^0.2.60.2.13up to date
 reqwest^0.12.20.13.3out of date
 rustls ⚠️^0.230.23.40maybe insecure
 rustls-native-certs^0.80.8.3up to date
 rustls-pki-types^11.14.1up to date
 serde_json^11.0.149up to date
 socket2^0.60.6.3up to date
 madsim-tokio^0.20.2.30up to date
 tokio-openssl^0.6.30.6.5up to date
 tracing^0.10.1.44up to date
 url^22.5.8up to date

Dev dependencies

(5 total, 1 outdated, 1 insecure)

CrateRequiredLatestStatus
 base64^0.220.22.1up to date
 rand^0.80.10.1out of date
 rsa ⚠️^0.90.9.10insecure
 tempfile^33.27.0up to date
 tokio-postgres^0.70.7.17up to date

Crate rw_resource_util

Dependencies

(4 total, all up-to-date)

CrateRequiredLatestStatus
 fs-err^33.3.0up to date
 hostname^0.4.10.4.2up to date
 sysinfo^0.380.38.4up to date
 tracing^0.10.1.44up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 tempfile^33.27.0up to date

Crate risingwave_rt

Dependencies

(15 total, 2 outdated, 3 possibly insecure)

CrateRequiredLatestStatus
 console^0.160.16.3up to date
 console-subscriber^0.50.5.0up to date
 either^11.15.0up to date
 futures^0.30.3.32up to date
 hostname^0.40.4.2up to date
 pprof^0.150.15.0up to date
 rlimit^0.100.11.0out of date
 rustls ⚠️^0.23.50.23.40maybe insecure
 tokio=1.48.01.52.1out of date
 time ⚠️^0.30.3.47maybe insecure
 madsim-tokio^0.20.2.30up to date
 tracing^0.10.1.44up to date
 tracing-subscriber ⚠️^0.30.3.23maybe insecure
 fastrace^0.70.7.17up to date
 fastrace-opentelemetry^0.16.00.16.0up to date

Crate sync-point

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 futures-util^0.30.3.32up to date
 spin^0.100.10.0up to date
 madsim-tokio^0.20.2.30up to date

Crate risingwave_variables

No external dependencies! 🙌

Crate workspace-config

Dependencies

(8 total, all up-to-date)

CrateRequiredLatestStatus
 log^0.40.4.29up to date
 tracing^0.10.1.44up to date
 libz-sys^11.1.28up to date
 liblzma-sys^0.40.4.6up to date
 sasl2-sys^0.10.1.22+2.1.28up to date
 openssl-sys^0.9.960.9.114up to date
 zstd-sys^22.0.16+zstd.1.5.7up to date
 aws-lc-rs^1.161.16.3up to date

Crate workspace-hack

No external dependencies! 🙌

Crate risingwave_common_secret

Dependencies

(10 total, 1 outdated)

CrateRequiredLatestStatus
 aws-lc-rs^1.61.16.3up to date
 anyhow^11.0.102up to date
 bincode^13.0.0out of date
 moka^0.12.00.12.15up to date
 serde_json^11.0.149up to date
 cfg-or-panic^0.20.2.1up to date
 serde_with^33.18.0up to date
 madsim-tokio^0.20.2.30up to date
 tracing^0.10.1.44up to date
 url^2.02.5.8up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 hex^0.40.4.3up to date

Security Vulnerabilities

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

nix: Out-of-bounds write in nix::unistd::getgrouplist

RUSTSEC-2021-0119

On certain platforms, if a user has more than 16 groups, the nix::unistd::getgrouplist function will call the libc getgrouplist function with a length parameter greater than the size of the buffer it provides, resulting in an out-of-bounds write and memory corruption.

The libc getgrouplist function takes an in/out parameter ngroups specifying the size of the group buffer. When the buffer is too small to hold all of the requested user's group memberships, some libc implementations, including glibc and Solaris libc, will modify ngroups to indicate the actual number of groups for the user, in addition to returning an error. The version of nix::unistd::getgrouplist in nix 0.16.0 and up will resize the buffer to twice its size, but will not read or modify the ngroups variable. Thus, if the user has more than twice as many groups as the initial buffer size of 8, the next call to getgrouplist will then write past the end of the buffer.

The issue would require editing /etc/groups to exploit, which is usually only editable by the root user.

tokio: reject_remote_clients Configuration corruption

RUSTSEC-2023-0001

On Windows, configuring a named pipe server with pipe_mode will force ServerOptions::reject_remote_clients as false.

This drops any intended explicit configuration for the reject_remote_clients that may have been set as true previously.

The default setting of reject_remote_clients is normally true meaning the default is also overridden as false.

Workarounds

Ensure that pipe_mode is set first after initializing a ServerOptions. For example:

let mut opts = ServerOptions::new();
opts.pipe_mode(PipeMode::Message);
opts.reject_remote_clients(true);

rsa: Marvin Attack: potential key recovery through timing sidechannels

RUSTSEC-2023-0071

Impact

Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.

Patches

No patch is yet available, however work is underway to migrate to a fully constant-time implementation.

Workarounds

The only currently available workaround is to avoid using the rsa crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.

References

This vulnerability was discovered as part of the "Marvin Attack", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.

rustls: rustls network-reachable panic in `Acceptor::accept`

RUSTSEC-2024-0399

A bug introduced in rustls 0.23.13 leads to a panic if the received TLS ClientHello is fragmented. Only servers that use rustls::server::Acceptor::accept() are affected.

Servers that use tokio-rustls's LazyConfigAcceptor API are affected.

Servers that use tokio-rustls's TlsAcceptor API are not affected.

Servers that use rustls-ffi's rustls_acceptor_accept API are affected.

tracing-subscriber: Logging user input may result in poisoning logs with ANSI escape sequences

RUSTSEC-2025-0055

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

  • Manipulate terminal title bars
  • Clear screens or modify terminal display
  • Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

This was patched in PR #3368 to escape ANSI control characters from user input.

bytes: Integer overflow in `BytesMut::reserve`

RUSTSEC-2026-0007

In the unique reclaim path of BytesMut::reserve, the condition

if v_capacity >= new_cap + offset

uses an unchecked addition. When new_cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as spare_capacity_mut() then trust this corrupted cap value and may create out-of-bounds slices, leading to UB.

This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks.

PoC

use bytes::*;

fn main() {
    let mut a = BytesMut::from(&b"hello world"[..]);
    let mut b = a.split_off(5);

    // Ensure b becomes the unique owner of the backing storage
    drop(a);

    // Trigger overflow in new_cap + offset inside reserve
    b.reserve(usize::MAX - 6);

    // This call relies on the corrupted cap and may cause UB & HBO
    b.put_u8(b'h');
}

Workarounds

Users of BytesMut::reserve are only affected if integer overflow checks are configured to wrap. When integer overflow is configured to panic, this issue does not apply.

time: Denial of Service via Stack Exhaustion

RUSTSEC-2026-0009

Impact

When user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario.

Patches

A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.

Workarounds

Limiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of the stack consumed would be at most a factor of the length of the input.

tar: `unpack_in` can chmod arbitrary directories by following symlinks

RUSTSEC-2026-0067

In versions 0.4.44 and below of tar-rs, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root.

This issue has been fixed in version 0.4.45.

tar: tar-rs incorrectly ignores PAX size headers if header size is nonzero

RUSTSEC-2026-0068

Versions 0.4.44 and below of tar-rs have conditional logic that skips the PAX size header in cases where the base header size is nonzero.

As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue.

Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size — other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers.

This issue has been fixed in version 0.4.45.