This project might be open to known security vulnerabilities , which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom .
Crate activity_indicator
No external dependencies! 🙌
Crate anthropic
No external dependencies! 🙌
Crate assets
No external dependencies! 🙌
Crate assistant
No external dependencies! 🙌
Crate assistant2
No external dependencies! 🙌
Crate assistant_slash_command
No external dependencies! 🙌
Crate assistant_tool
No external dependencies! 🙌
Crate assistant_tools
No external dependencies! 🙌
Crate audio
Dependencies (1 total, all up-to-date)
Crate Required Latest Status rodio ^0.20.0
0.20.1
up to date
Crate auto_update
No external dependencies! 🙌
Crate auto_update_ui
No external dependencies! 🙌
Crate breadcrumbs
No external dependencies! 🙌
Crate call
No external dependencies! 🙌
Crate channel
No external dependencies! 🙌
Crate cli
Dependencies (1 total, all up-to-date)
Crate Required Latest Status ipc-channel ^0.19
0.19.0
up to date
Crate client
Dependencies (3 total, 2 outdated)
Crate clock
No external dependencies! 🙌
Crate collab
Dependencies (14 total, 4 outdated, 1 possibly insecure)
Dev dependencies (2 total, 1 possibly insecure)
Crate Required Latest Status sea-orm ^1.1.0-rc.1
1.1.2
up to date sqlx ⚠️ ^0.8
0.8.2
maybe insecure
Crate collab_ui
No external dependencies! 🙌
Crate collections
Dependencies (1 total, 1 outdated)
Crate Required Latest Status rustc-hash ^1.1
2.1.0
out of date
Crate command_palette
No external dependencies! 🙌
Crate command_palette_hooks
No external dependencies! 🙌
Crate context_server
No external dependencies! 🙌
Crate context_server_settings
No external dependencies! 🙌
Crate copilot
No external dependencies! 🙌
Crate db
No external dependencies! 🙌
Crate diagnostics
No external dependencies! 🙌
Crate docs_preprocessor
Dependencies (1 total, all up-to-date)
Crate Required Latest Status mdbook ^0.4.40
0.4.43
up to date
Crate editor
No external dependencies! 🙌
Crate evals
No external dependencies! 🙌
Crate extension
No external dependencies! 🙌
Crate zed_extension_api
Dependencies (3 total, 1 outdated)
Crate extension_cli
No external dependencies! 🙌
Crate extension_host
No external dependencies! 🙌
Crate extensions_ui
No external dependencies! 🙌
Crate feature_flags
No external dependencies! 🙌
Crate feedback
Dependencies (2 total, all up-to-date)
Crate file_finder
No external dependencies! 🙌
Crate file_icons
No external dependencies! 🙌
Crate fs
No external dependencies! 🙌
Crate fsevent
No external dependencies! 🙌
Crate fuzzy
No external dependencies! 🙌
Crate git
No external dependencies! 🙌
Crate git_hosting_providers
No external dependencies! 🙌
Crate go_to_line
No external dependencies! 🙌
Crate google_ai
No external dependencies! 🙌
Crate gpui
Dependencies (15 total, 1 outdated)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status backtrace ^0.3
0.3.74
up to date
Build dependencies (1 total, all up-to-date)
Crate gpui_macros
Dependencies (3 total, 1 outdated)
Crate Required Latest Status proc-macro2 ^1.0.66
1.0.92
up to date quote ^1.0.9
1.0.37
up to date syn ^1.0.72
2.0.90
out of date
Crate html_to_markdown
No external dependencies! 🙌
Crate http_client
No external dependencies! 🙌
Crate image_viewer
No external dependencies! 🙌
Crate indexed_docs
No external dependencies! 🙌
Crate inline_completion
No external dependencies! 🙌
Crate inline_completion_button
No external dependencies! 🙌
Crate install_cli
No external dependencies! 🙌
Crate journal
No external dependencies! 🙌
Crate language
Dependencies (1 total, all up-to-date)
Crate Required Latest Status unicase ^2.6
2.8.0
up to date
Crate language_extension
No external dependencies! 🙌
Crate language_model
No external dependencies! 🙌
Crate language_model_selector
No external dependencies! 🙌
Crate language_models
No external dependencies! 🙌
Crate language_selector
No external dependencies! 🙌
Crate language_tools
No external dependencies! 🙌
Crate languages
No external dependencies! 🙌
Crate livekit_client
Dependencies (2 total, 1 outdated)
Crate Required Latest Status cpal ^0.15
0.15.3
up to date http ^0.2.1
1.2.0
out of date
Crate livekit_client_macos
Dependencies (1 total, all up-to-date)
Crate livekit_server
No external dependencies! 🙌
Crate lsp
No external dependencies! 🙌
Crate markdown
No external dependencies! 🙌
Crate markdown_preview
No external dependencies! 🙌
Crate media
Build dependencies (1 total, 1 outdated)
Crate Required Latest Status bindgen ^0.70.0
0.71.1
out of date
Crate menu
No external dependencies! 🙌
Crate multi_buffer
No external dependencies! 🙌
Crate node_runtime
Dependencies (1 total, all up-to-date)
Crate Required Latest Status walkdir ^2.5.0
2.5.0
up to date
Crate notifications
No external dependencies! 🙌
Crate ollama
No external dependencies! 🙌
Crate open_ai
No external dependencies! 🙌
Crate outline
No external dependencies! 🙌
Crate outline_panel
No external dependencies! 🙌
Crate paths
No external dependencies! 🙌
Crate picker
No external dependencies! 🙌
Crate prettier
No external dependencies! 🙌
Crate project
Dependencies (1 total, 1 outdated)
Crate Required Latest Status similar ^1.3
2.6.0
out of date
Crate project_panel
No external dependencies! 🙌
Crate project_symbols
No external dependencies! 🙌
Crate proto
No external dependencies! 🙌
Crate recent_projects
No external dependencies! 🙌
Crate refineable
No external dependencies! 🙌
Crate derive_refineable
Dependencies (3 total, 1 outdated)
Crate Required Latest Status syn ^1.0.72
2.0.90
out of date quote ^1.0.9
1.0.37
up to date proc-macro2 ^1.0.66
1.0.92
up to date
Crate release_channel
No external dependencies! 🙌
Crate remote
No external dependencies! 🙌
Crate remote_server
Dependencies (1 total, all up-to-date)
Crate Required Latest Status backtrace ^0.3
0.3.74
up to date
Crate repl
No external dependencies! 🙌
Crate reqwest_client
No external dependencies! 🙌
Crate rich_text
No external dependencies! 🙌
Crate rope
Dependencies (1 total, all up-to-date)
Crate Required Latest Status arrayvec ^0.7.1
0.7.6
up to date
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status criterion ^0.5
0.5.1
up to date
Crate rpc
Dependencies (1 total, all up-to-date)
Crate Required Latest Status tracing ^0.1.34
0.1.41
up to date
Crate search
No external dependencies! 🙌
Crate semantic_index
No external dependencies! 🙌
Crate semantic_version
No external dependencies! 🙌
Crate session
No external dependencies! 🙌
Crate settings
No external dependencies! 🙌
Crate settings_ui
No external dependencies! 🙌
Crate snippet
No external dependencies! 🙌
Crate snippet_provider
No external dependencies! 🙌
Crate snippets_ui
No external dependencies! 🙌
Crate sqlez
Dependencies (1 total, all up-to-date)
Crate sqlez_macros
Dependencies (1 total, 1 outdated)
Crate Required Latest Status syn ^1.0
2.0.90
out of date
Crate story
Dependencies (1 total, all up-to-date)
Crate Required Latest Status itertools ^0.13
0.13.0
up to date
Crate storybook
Dependencies (2 total, all up-to-date)
Crate Required Latest Status ctrlc ^3.4
3.4.5
up to date dialoguer ^0.11.0
0.11.0
up to date
Crate sum_tree
Dependencies (1 total, all up-to-date)
Crate Required Latest Status arrayvec ^0.7.1
0.7.6
up to date
Crate supermaven
No external dependencies! 🙌
Crate supermaven_api
No external dependencies! 🙌
Crate tab_switcher
No external dependencies! 🙌
Crate task
No external dependencies! 🙌
Crate tasks_ui
No external dependencies! 🙌
Crate telemetry_events
No external dependencies! 🙌
Crate terminal
No external dependencies! 🙌
Crate terminal_view
No external dependencies! 🙌
Crate text
No external dependencies! 🙌
Crate theme
No external dependencies! 🙌
Crate theme_extension
No external dependencies! 🙌
Crate theme_importer
Dependencies (1 total, all up-to-date)
Crate theme_selector
No external dependencies! 🙌
Crate time_format
No external dependencies! 🙌
Crate title_bar
No external dependencies! 🙌
Crate toolchain_selector
No external dependencies! 🙌
Crate ui
No external dependencies! 🙌
Crate ui_input
No external dependencies! 🙌
Crate ui_macros
Dependencies (3 total, 1 outdated)
Crate Required Latest Status proc-macro2 ^1.0.66
1.0.92
up to date quote ^1.0.9
1.0.37
up to date syn ^1.0.72
2.0.90
out of date
Crate util
Dependencies (1 total, all up-to-date)
Crate Required Latest Status take-until ^0.2.0
0.2.0
up to date
Crate vcs_menu
No external dependencies! 🙌
Crate vim
Dependencies (1 total, 1 possibly insecure)
Crate Required Latest Status tokio ⚠️ ^1.15
1.42.0
maybe insecure
Crate vim_mode_setting
No external dependencies! 🙌
Crate welcome
No external dependencies! 🙌
Crate workspace
Dependencies (1 total, all up-to-date)
Crate Required Latest Status bincode ^1.2.1
1.3.3
up to date
Crate worktree
No external dependencies! 🙌
Crate zed
Dependencies (3 total, all up-to-date)
Crate zed_actions
No external dependencies! 🙌
Crate zeta
No external dependencies! 🙌
Crate git_ui
No external dependencies! 🙌
Crate zed_astro
Dependencies (2 total, 1 outdated)
Crate zed_clojure
Dependencies (1 total, 1 outdated)
Crate zed_csharp
Dependencies (1 total, 1 outdated)
Crate zed_deno
Dependencies (1 total, 1 outdated)
Crate zed_elixir
Dependencies (1 total, 1 outdated)
Crate zed_elm
Dependencies (1 total, 1 outdated)
Crate zed_emmet
Dependencies (1 total, 1 outdated)
Crate zed_erlang
Dependencies (1 total, 1 outdated)
Crate zed_glsl
Dependencies (1 total, 1 outdated)
Crate zed_haskell
Dependencies (1 total, 1 outdated)
Crate zed_html
Dependencies (1 total, 1 outdated)
Crate zed_lua
Dependencies (1 total, 1 outdated)
Crate zed_php
Dependencies (1 total, 1 outdated)
Crate perplexity
Dependencies (1 total, all up-to-date)
Crate Required Latest Status serde ^1
1.0.216
up to date
Crate zed_prisma
Dependencies (1 total, 1 outdated)
Crate zed_proto
Dependencies (1 total, 1 outdated)
Crate zed_purescript
Dependencies (1 total, 1 outdated)
Crate zed_ruff
Dependencies (1 total, 1 outdated)
Crate slash_commands_example
Dependencies (1 total, 1 outdated)
Crate zed_snippets
Dependencies (2 total, 1 outdated)
Crate zed_terraform
Dependencies (1 total, 1 outdated)
Crate zed_test_extension
No external dependencies! 🙌
Crate zed_toml
Dependencies (1 total, 1 outdated)
Crate zed_uiua
Dependencies (1 total, 1 outdated)
Crate zed_zig
Dependencies (1 total, 1 outdated)
Crate xtask
No external dependencies! 🙌
Security Vulnerabilities tokio
: reject_remote_clients Configuration corruptionRUSTSEC-2023-0001
On Windows, configuring a named pipe server with pipe_mode will force ServerOptions ::reject_remote_clients as false
.
This drops any intended explicit configuration for the reject_remote_clients that may have been set as true
previously.
The default setting of reject_remote_clients is normally true
meaning the default is also overridden as false
.
Workarounds
Ensure that pipe_mode is set first after initializing a ServerOptions . For example:
let mut opts = ServerOptions::new();
opts.pipe_mode(PipeMode::Message);
opts.reject_remote_clients(true);
Patched
>=1.18.4, <1.19.0
>=1.20.3, <1.21.0
>=1.23.1
sqlx
: Binary Protocol Misinterpretation caused by Truncating or Overflowing CastsRUSTSEC-2024-0363
The following presentation at this year's DEF CON was brought to our attention on the SQLx Discord:
SQL Injection isn't Dead: Smuggling Queries at the Protocol Level
http://web.archive.org/web/20240812130923/https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn't%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf
(Archive link for posterity.)
Essentially, encoding a value larger than 4GiB can cause the length prefix in the protocol to overflow,
causing the server to interpret the rest of the string as binary protocol commands or other data.
It appears SQLx does perform truncating casts in a way that could be problematic,
for example: https://github.com/launchbadge/sqlx/blob/6f2905695b9606b5f51b40ce10af63ac9e696bb8/sqlx-postgres/src/arguments.rs#L163
This code has existed essentially since the beginning,
so it is reasonable to assume that all published versions <= 0.8.0
are affected.
Mitigation
As always, you should make sure your application is validating untrustworthy user input.
Reject any input over 4 GiB, or any input that could encode to a string longer than 4 GiB.
Dynamically built queries are also potentially problematic if it pushes the message size over this 4 GiB bound.
Encode::size_hint()
can be used for sanity checks, but do not assume that the size returned is accurate.
For example, the Json<T>
and Text<T>
adapters have no reasonable way to predict or estimate the final encoded size,
so they just return size_of::<T>()
instead.
For web application backends, consider adding some middleware that limits the size of request bodies by default.
Resolution
sqlx 0.8.1
has been released with the fix: https://github.com/launchbadge/sqlx/blob/main/CHANGELOG.md#081---2024-08-23
Postgres users are advised to upgrade ASAP as a possible exploit has been demonstrated:
https://github.com/launchbadge/sqlx/issues/3440#issuecomment-2307956901
MySQL and SQLite do not appear to be exploitable, but upgrading is recommended nonetheless.