mozilla / neqo

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate `fuzz`

Dependencies

(1 total, all up-to-date)

Crate	Required	Latest	Status
libfuzzer-sys	`^0.4`	`0.4.10`	up to date

Crate `mtu`

Dependencies

(1 total, 1 outdated)

Crate	Required	Latest	Status
windows	`>=0.58, <0.60`	`0.62.2`	out of date

Build dependencies

(3 total, 1 outdated)

Crate	Required	Latest	Status
cfg_aliases	`^0.2`	`0.2.1`	up to date
mozbuild	`^0.1`	`0.1.0`	up to date
bindgen	`^0.69`	`0.72.1`	out of date

Crate `neqo-bin`

Dependencies

(4 total, 1 possibly insecure)

Crate	Required	Latest	Status
clap	`^4.5`	`4.5.51`	up to date
clap-verbosity-flag	`^3.0`	`3.0.4`	up to date
futures	`^0.3`	`0.3.31`	up to date
tokio ⚠️	`^1`	`1.48.0`	maybe insecure

Dev dependencies

(2 total, 1 outdated, 1 possibly insecure)

Crate	Required	Latest	Status
criterion	`^0.6`	`0.7.0`	out of date
tokio ⚠️	`^1`	`1.48.0`	maybe insecure

Crate `neqo-common`

Dependencies

(1 total, 1 outdated)

Crate	Required	Latest	Status
env_logger	`^0.10`	`0.11.8`	out of date

Dev dependencies

(1 total, 1 outdated)

Crate	Required	Latest	Status
criterion	`^0.6`	`0.7.0`	out of date

Crate `neqo-crypto`

Build dependencies

(6 total, 2 outdated)

Crate	Required	Latest	Status
bindgen	`^0.69`	`0.72.1`	out of date
mozbuild	`^0.1`	`0.1.0`	up to date
semver	`^1.0`	`1.0.27`	up to date
serde	`^1.0`	`1.0.228`	up to date
serde_derive	`^1.0`	`1.0.228`	up to date
toml	`^0.5`	`0.9.8`	out of date

Crate `neqo-http3`

Dependencies

(1 total, all up-to-date)

Crate	Required	Latest	Status
sfv	`^0.14`	`0.14.0`	up to date

Dev dependencies

(1 total, 1 outdated)

Crate	Required	Latest	Status
criterion	`^0.6`	`0.7.0`	out of date

Crate `neqo-qpack`

No external dependencies! 🙌

Crate `neqo-transport`

Dependencies

(2 total, all up-to-date)

Crate	Required	Latest	Status
indexmap	`^2.2`	`2.12.0`	up to date
smallvec	`^1.13`	`1.15.1`	up to date

Dev dependencies

(1 total, 1 outdated)

Crate	Required	Latest	Status
criterion	`^0.6`	`0.7.0`	out of date

Crate `neqo-udp`

Build dependencies

(1 total, all up-to-date)

Crate	Required	Latest	Status
cfg_aliases	`^0.2`	`0.2.1`	up to date

Crate `test-fixture`

No external dependencies! 🙌

Security Vulnerabilities

`tokio`: reject_remote_clients Configuration corruption

RUSTSEC-2023-0001

On Windows, configuring a named pipe server with pipe_mode will force ServerOptions::reject_remote_clients as false.

This drops any intended explicit configuration for the reject_remote_clients that may have been set as true previously.

The default setting of reject_remote_clients is normally true meaning the default is also overridden as false.

Workarounds

Ensure that pipe_mode is set first after initializing a ServerOptions. For example:

let mut opts = ServerOptions::new();
opts.pipe_mode(PipeMode::Message);
opts.reject_remote_clients(true);

mozilla / neqo

Crate fuzz

Dependencies

Crate mtu

Dependencies

Build dependencies

Crate neqo-bin

Dependencies

Dev dependencies

Crate neqo-common

Dependencies

Dev dependencies

Crate neqo-crypto

Build dependencies

Crate neqo-http3

Dependencies

Dev dependencies

Crate neqo-qpack

Crate neqo-transport

Dependencies

Dev dependencies

Crate neqo-udp

Build dependencies

Crate test-fixture

Security Vulnerabilities

tokio: reject_remote_clients Configuration corruption

Workarounds

Crate `fuzz`

Crate `mtu`

Crate `neqo-bin`

Crate `neqo-common`

Crate `neqo-crypto`

Crate `neqo-http3`

Crate `neqo-qpack`

Crate `neqo-transport`

Crate `neqo-udp`

Crate `test-fixture`

`tokio`: reject_remote_clients Configuration corruption