This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate activity_indicator

No external dependencies! 🙌

Crate anthropic

No external dependencies! 🙌

Crate assets

No external dependencies! 🙌

Crate assistant

No external dependencies! 🙌

Crate assistant2

No external dependencies! 🙌

Crate assistant_slash_command

No external dependencies! 🙌

Crate assistant_tool

No external dependencies! 🙌

Crate assistant_tools

No external dependencies! 🙌

Crate audio

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 rodio^0.20.00.20.1up to date

Crate auto_update

No external dependencies! 🙌

Crate auto_update_ui

No external dependencies! 🙌

Crate breadcrumbs

No external dependencies! 🙌

Crate call

No external dependencies! 🙌

Crate channel

No external dependencies! 🙌

Crate cli

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 ipc-channel^0.190.19.0up to date

Crate client

Dependencies

(3 total, 2 outdated)

CrateRequiredLatestStatus
 async-recursion^0.31.1.1out of date
 tiny_http^0.80.12.0out of date
 tokio-socks^0.5.20.5.2up to date

Crate clock

No external dependencies! 🙌

Crate collab

Dependencies

(14 total, 4 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 aws-config^1.1.51.5.10up to date
 aws-sdk-s3^1.15.01.65.0up to date
 aws-sdk-kinesis^1.51.01.52.0up to date
 axum^0.60.7.9out of date
 axum-extra^0.40.9.6out of date
 envy^0.4.20.4.2up to date
 prometheus^0.130.13.4up to date
 reqwest^0.110.12.9out of date
 scrypt^0.110.11.0up to date
 sea-orm^1.1.0-rc.11.1.2up to date
 sqlx ⚠️^0.80.8.2maybe insecure
 tower^0.40.5.2out of date
 tracing^0.1.400.1.41up to date
 tracing-subscriber^0.3.180.3.19up to date

Dev dependencies

(2 total, 1 possibly insecure)

CrateRequiredLatestStatus
 sea-orm^1.1.0-rc.11.1.2up to date
 sqlx ⚠️^0.80.8.2maybe insecure

Crate collab_ui

No external dependencies! 🙌

Crate collections

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 rustc-hash^1.12.1.0out of date

Crate command_palette

No external dependencies! 🙌

Crate command_palette_hooks

No external dependencies! 🙌

Crate context_server

No external dependencies! 🙌

Crate context_server_settings

No external dependencies! 🙌

Crate copilot

No external dependencies! 🙌

Crate db

No external dependencies! 🙌

Crate diagnostics

No external dependencies! 🙌

Crate docs_preprocessor

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 mdbook^0.4.400.4.43up to date

Crate editor

No external dependencies! 🙌

Crate evals

No external dependencies! 🙌

Crate extension

No external dependencies! 🙌

Crate zed_extension_api

Dependencies

(3 total, 1 outdated)

CrateRequiredLatestStatus
 serde^1.01.0.216up to date
 serde_json^1.01.0.133up to date
 wit-bindgen^0.220.36.0out of date

Crate extension_cli

No external dependencies! 🙌

Crate extension_host

No external dependencies! 🙌

Crate extensions_ui

No external dependencies! 🙌

Crate feature_flags

No external dependencies! 🙌

Crate feedback

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 human_bytes^0.4.10.4.3up to date
 urlencoding^2.1.22.1.3up to date

Crate file_finder

No external dependencies! 🙌

Crate file_icons

No external dependencies! 🙌

Crate fs

No external dependencies! 🙌

Crate fsevent

No external dependencies! 🙌

Crate fuzzy

No external dependencies! 🙌

Crate git

No external dependencies! 🙌

Crate git_hosting_providers

No external dependencies! 🙌

Crate go_to_line

No external dependencies! 🙌

Crate google_ai

No external dependencies! 🙌

Crate gpui

Dependencies

(15 total, 1 outdated)

CrateRequiredLatestStatus
 async-task^4.74.7.1up to date
 backtrace^0.30.3.74up to date
 bytemuck^11.20.0up to date
 etagere^0.20.2.13up to date
 image^0.25.10.25.5up to date
 linkme^0.30.3.31up to date
 num_cpus^1.131.16.0up to date
 parking^2.0.02.2.1up to date
 raw-window-handle^0.60.6.2up to date
 resvg^0.44.00.44.0up to date
 usvg^0.44.00.44.0up to date
 seahash^4.14.1.0up to date
 slotmap^1.0.61.0.7up to date
 taffy^0.4.30.6.3out of date
 waker-fn^1.2.01.2.0up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 backtrace^0.30.3.74up to date

Build dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 embed-resource^3.03.0.1up to date

Crate gpui_macros

Dependencies

(3 total, 1 outdated)

CrateRequiredLatestStatus
 proc-macro2^1.0.661.0.92up to date
 quote^1.0.91.0.37up to date
 syn^1.0.722.0.90out of date

Crate html_to_markdown

No external dependencies! 🙌

Crate http_client

No external dependencies! 🙌

Crate image_viewer

No external dependencies! 🙌

Crate indexed_docs

No external dependencies! 🙌

Crate inline_completion

No external dependencies! 🙌

Crate inline_completion_button

No external dependencies! 🙌

Crate install_cli

No external dependencies! 🙌

Crate journal

No external dependencies! 🙌

Crate language

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 unicase^2.62.8.0up to date

Crate language_extension

No external dependencies! 🙌

Crate language_model

No external dependencies! 🙌

Crate language_model_selector

No external dependencies! 🙌

Crate language_models

No external dependencies! 🙌

Crate language_selector

No external dependencies! 🙌

Crate language_tools

No external dependencies! 🙌

Crate languages

No external dependencies! 🙌

Crate livekit_client

Dependencies

(2 total, 1 outdated)

CrateRequiredLatestStatus
 cpal^0.150.15.3up to date
 http^0.2.11.2.0out of date

Crate livekit_client_macos

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 async-broadcast^0.70.7.1up to date

Crate livekit_server

No external dependencies! 🙌

Crate lsp

No external dependencies! 🙌

Crate markdown

No external dependencies! 🙌

Crate markdown_preview

No external dependencies! 🙌

Crate media

Build dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 bindgen^0.70.00.71.1out of date

Crate menu

No external dependencies! 🙌

Crate multi_buffer

No external dependencies! 🙌

Crate node_runtime

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 walkdir^2.5.02.5.0up to date

Crate notifications

No external dependencies! 🙌

Crate ollama

No external dependencies! 🙌

Crate open_ai

No external dependencies! 🙌

Crate outline

No external dependencies! 🙌

Crate outline_panel

No external dependencies! 🙌

Crate paths

No external dependencies! 🙌

Crate picker

No external dependencies! 🙌

Crate prettier

No external dependencies! 🙌

Crate project

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 similar^1.32.6.0out of date

Crate project_panel

No external dependencies! 🙌

Crate project_symbols

No external dependencies! 🙌

Crate proto

No external dependencies! 🙌

Crate recent_projects

No external dependencies! 🙌

Crate refineable

No external dependencies! 🙌

Crate derive_refineable

Dependencies

(3 total, 1 outdated)

CrateRequiredLatestStatus
 syn^1.0.722.0.90out of date
 quote^1.0.91.0.37up to date
 proc-macro2^1.0.661.0.92up to date

Crate release_channel

No external dependencies! 🙌

Crate remote

No external dependencies! 🙌

Crate remote_server

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 backtrace^0.30.3.74up to date

Crate repl

No external dependencies! 🙌

Crate reqwest_client

No external dependencies! 🙌

Crate rich_text

No external dependencies! 🙌

Crate rope

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 arrayvec^0.7.10.7.6up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 criterion^0.50.5.1up to date

Crate rpc

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 tracing^0.1.340.1.41up to date

Crate search

No external dependencies! 🙌

Crate semantic_index

No external dependencies! 🙌

Crate semantic_version

No external dependencies! 🙌

Crate session

No external dependencies! 🙌

Crate settings

No external dependencies! 🙌

Crate settings_ui

No external dependencies! 🙌

Crate snippet

No external dependencies! 🙌

Crate snippet_provider

No external dependencies! 🙌

Crate snippets_ui

No external dependencies! 🙌

Crate sqlez

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 thread_local^1.1.41.1.8up to date

Crate sqlez_macros

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 syn^1.02.0.90out of date

Crate story

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 itertools^0.130.13.0up to date

Crate storybook

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 ctrlc^3.43.4.5up to date
 dialoguer^0.11.00.11.0up to date

Crate sum_tree

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 arrayvec^0.7.10.7.6up to date

Crate supermaven

No external dependencies! 🙌

Crate supermaven_api

No external dependencies! 🙌

Crate tab_switcher

No external dependencies! 🙌

Crate task

No external dependencies! 🙌

Crate tasks_ui

No external dependencies! 🙌

Crate telemetry_events

No external dependencies! 🙌

Crate terminal

No external dependencies! 🙌

Crate terminal_view

No external dependencies! 🙌

Crate text

No external dependencies! 🙌

Crate theme

No external dependencies! 🙌

Crate theme_extension

No external dependencies! 🙌

Crate theme_importer

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 vscode_theme^0.2.00.2.0up to date

Crate theme_selector

No external dependencies! 🙌

Crate time_format

No external dependencies! 🙌

Crate title_bar

No external dependencies! 🙌

Crate toolchain_selector

No external dependencies! 🙌

Crate ui

No external dependencies! 🙌

Crate ui_input

No external dependencies! 🙌

Crate ui_macros

Dependencies

(3 total, 1 outdated)

CrateRequiredLatestStatus
 proc-macro2^1.0.661.0.92up to date
 quote^1.0.91.0.37up to date
 syn^1.0.722.0.90out of date

Crate util

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 take-until^0.2.00.2.0up to date

Crate vcs_menu

No external dependencies! 🙌

Crate vim

Dependencies

(1 total, 1 possibly insecure)

CrateRequiredLatestStatus
 tokio ⚠️^1.151.42.0maybe insecure

Crate vim_mode_setting

No external dependencies! 🙌

Crate welcome

No external dependencies! 🙌

Crate workspace

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 bincode^1.2.11.3.3up to date

Crate worktree

No external dependencies! 🙌

Crate zed

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 backtrace^0.30.3.74up to date
 mimalloc^0.10.1.43up to date
 urlencoding^2.1.22.1.3up to date

Crate zed_actions

No external dependencies! 🙌

Crate zeta

No external dependencies! 🙌

Crate git_ui

No external dependencies! 🙌

Crate zed_astro

Dependencies

(2 total, 1 outdated)

CrateRequiredLatestStatus
 serde^1.01.0.216up to date
 zed_extension_api^0.1.00.2.0out of date

Crate zed_clojure

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 zed_extension_api^0.1.00.2.0out of date

Crate zed_csharp

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 zed_extension_api^0.1.00.2.0out of date

Crate zed_deno

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 zed_extension_api^0.1.00.2.0out of date

Crate zed_elixir

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 zed_extension_api^0.1.00.2.0out of date

Crate zed_elm

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 zed_extension_api^0.1.00.2.0out of date

Crate zed_emmet

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 zed_extension_api^0.1.00.2.0out of date

Crate zed_erlang

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 zed_extension_api^0.1.00.2.0out of date

Crate zed_glsl

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 zed_extension_api^0.1.00.2.0out of date

Crate zed_haskell

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 zed_extension_api^0.1.00.2.0out of date

Crate zed_html

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 zed_extension_api^0.1.00.2.0out of date

Crate zed_lua

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 zed_extension_api^0.1.00.2.0out of date

Crate zed_php

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 zed_extension_api^0.1.00.2.0out of date

Crate perplexity

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 serde^11.0.216up to date

Crate zed_prisma

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 zed_extension_api^0.1.00.2.0out of date

Crate zed_proto

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 zed_extension_api^0.1.00.2.0out of date

Crate zed_purescript

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 zed_extension_api^0.1.00.2.0out of date

Crate zed_ruff

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 zed_extension_api^0.1.00.2.0out of date

Crate slash_commands_example

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 zed_extension_api^0.1.00.2.0out of date

Crate zed_snippets

Dependencies

(2 total, 1 outdated)

CrateRequiredLatestStatus
 zed_extension_api^0.1.00.2.0out of date
 serde_json^1.01.0.133up to date

Crate zed_terraform

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 zed_extension_api^0.1.00.2.0out of date

Crate zed_test_extension

No external dependencies! 🙌

Crate zed_toml

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 zed_extension_api^0.1.00.2.0out of date

Crate zed_uiua

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 zed_extension_api^0.1.00.2.0out of date

Crate zed_zig

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 zed_extension_api^0.1.00.2.0out of date

Crate xtask

No external dependencies! 🙌

Security Vulnerabilities

tokio: reject_remote_clients Configuration corruption

RUSTSEC-2023-0001

On Windows, configuring a named pipe server with pipe_mode will force ServerOptions::reject_remote_clients as false.

This drops any intended explicit configuration for the reject_remote_clients that may have been set as true previously.

The default setting of reject_remote_clients is normally true meaning the default is also overridden as false.

Workarounds

Ensure that pipe_mode is set first after initializing a ServerOptions. For example:

let mut opts = ServerOptions::new();
opts.pipe_mode(PipeMode::Message);
opts.reject_remote_clients(true);

sqlx: Binary Protocol Misinterpretation caused by Truncating or Overflowing Casts

RUSTSEC-2024-0363

The following presentation at this year's DEF CON was brought to our attention on the SQLx Discord:

SQL Injection isn't Dead: Smuggling Queries at the Protocol Level
http://web.archive.org/web/20240812130923/https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn't%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf
(Archive link for posterity.)

Essentially, encoding a value larger than 4GiB can cause the length prefix in the protocol to overflow, causing the server to interpret the rest of the string as binary protocol commands or other data.

It appears SQLx does perform truncating casts in a way that could be problematic, for example: https://github.com/launchbadge/sqlx/blob/6f2905695b9606b5f51b40ce10af63ac9e696bb8/sqlx-postgres/src/arguments.rs#L163

This code has existed essentially since the beginning, so it is reasonable to assume that all published versions <= 0.8.0 are affected.

Mitigation

As always, you should make sure your application is validating untrustworthy user input. Reject any input over 4 GiB, or any input that could encode to a string longer than 4 GiB. Dynamically built queries are also potentially problematic if it pushes the message size over this 4 GiB bound.

Encode::size_hint() can be used for sanity checks, but do not assume that the size returned is accurate. For example, the Json<T> and Text<T> adapters have no reasonable way to predict or estimate the final encoded size, so they just return size_of::<T>() instead.

For web application backends, consider adding some middleware that limits the size of request bodies by default.

Resolution

sqlx 0.8.1 has been released with the fix: https://github.com/launchbadge/sqlx/blob/main/CHANGELOG.md#081---2024-08-23

Postgres users are advised to upgrade ASAP as a possible exploit has been demonstrated: https://github.com/launchbadge/sqlx/issues/3440#issuecomment-2307956901

MySQL and SQLite do not appear to be exploitable, but upgrading is recommended nonetheless.