chore(deps): update rust crate tokio to v1.43.1 [security]

[renovate-sh-app[bot]]

This PR contains the following updates:

Package	Type	Update	Change
tokio (source)	dependencies	minor	1.40.0 -> 1.43.1

---

Broadcast channel calls clone in parallel, but does not require Sync

GHSA-rr8g-9fpq-6wmg / RUSTSEC-2025-0023

More information

Details

The broadcast channel internally calls clone on the stored value when receiving it, and only requires T:Send. This means that using the broadcast channel with values that are Send but not Sync can trigger unsoundness if the clone implementation makes use of the value being !Sync.

Thank you to Austin Bonander for finding and reporting this issue.

Severity

Unknown

References

• https://crates.io/crates/tokio
• https://rustsec.org/advisories/RUSTSEC-2025-0023.html
• https://github.com/tokio-rs/tokio/pull/7232

This data is provided by OSV and the Rust Advisory Database (CC0 1.0).

---

Tokio broadcast channel calls clone in parallel, but does not require Sync

GHSA-rr8g-9fpq-6wmg / RUSTSEC-2025-0023

More information

Details

The broadcast channel internally calls clone on the stored value when receiving it, and only requires T:Send. This means that using the broadcast channel with values that are Send but not Sync can trigger unsoundness if the clone implementation makes use of the value being !Sync.

Thank you to Austin Bonander for finding and reporting this issue.

Severity

• CVSS Score: 2.7 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

• https://github.com/tokio-rs/tokio/pull/7232
• https://github.com/tokio-rs/tokio
• https://rustsec.org/advisories/RUSTSEC-2025-0023.html

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

tokio-rs/tokio (tokio)

v1.43.1

Compare Source

v1.43.0: Tokio v1.43.0

Compare Source

1.43.0 (Jan 8th, 2025)

Added

• net: add UdpSocket::peek methods (#​7068)
• net: add support for Haiku OS (#​7042)
• process: add Command::into_std() (#​7014)
• signal: add SignalKind::info on illumos (#​6995)
• signal: add support for realtime signals on illumos (#​7029)

Fixed

• io: don't call set_len before initializing vector in Blocking (#​7054)
• macros: suppress clippy::needless_return in #[tokio::main] (#​6874)
• runtime: fix thread parking on WebAssembly (#​7041)

Changes

• chore: use unsync loads for unsync_load (#​7073)
• io: use Buf::put_bytes in Repeat read impl (#​7055)
• task: drop the join waker of a task eagerly (#​6986)

Changes to unstable APIs

• metrics: improve flexibility of H2Histogram Configuration (#​6963)
• taskdump: add accessor methods for backtrace (#​6975)

Documented

• io: clarify ReadBuf::uninit allows initialized buffers as well (#​7053)
• net: fix ambiguity in TcpStream::try_write_vectored docs (#​7067)
• runtime: fix LocalRuntime doc links (#​7074)
• sync: extend documentation for watch::Receiver::wait_for (#​7038)
• sync: fix typos in OnceCell docs (#​7047)

v1.42.1: Tokio v1.42.1

Compare Source

This release fixes a soundness issue in the broadcast channel. The channel accepts values that are Send but !Sync. Previously, the channel called clone() on these values without synchronizing. This release fixes the channel by synchronizing calls to .clone() (Thanks Austin Bonander for finding and reporting the issue).

Fixed

• sync: synchronize clone() call in broadcast channel (#​7232)

v1.42.0: Tokio v1.42.0

Compare Source

1.42.0 (Dec 3rd, 2024)

Added

• io: add AsyncFd::{try_io, try_io_mut} (#​6967)

Fixed

• io: avoid ptr->ref->ptr roundtrip in RegistrationSet (#​6929)
• runtime: do not defer yield_now inside block_in_place (#​6999)

Changes

• io: simplify io readiness logic (#​6966)

Documented

• net: fix docs for tokio::net::unix::{pid_t, gid_t, uid_t} (#​6791)
• time: fix a typo in Instant docs (#​6982)

v1.41.1: Tokio v1.41.1

Compare Source

1.41.1 (Nov 7th, 2024)

Fixed

• metrics: fix bug with wrong number of buckets for the histogram (#​6957)
• net: display net requirement for net::UdpSocket in docs (#​6938)
• net: fix typo in TcpStream internal comment (#​6944)

v1.41.0: Tokio v1.41.0

Compare Source

1.41.0 (Oct 22th, 2024)

Added

• metrics: stabilize global_queue_depth (#​6854, #​6918)
• net: add conversions for unix SocketAddr (#​6868)
• sync: add watch::Sender::sender_count (#​6836)
• sync: add mpsc::Receiver::blocking_recv_many (#​6867)
• task: stabilize Id apis (#​6793, #​6891)

Added (unstable)

• metrics: add H2 Histogram option to improve histogram granularity (#​6897)
• metrics: rename some histogram apis (#​6924)
• runtime: add LocalRuntime (#​6808)

Changed

• runtime: box futures larger than 16k on release mode (#​6826)
• sync: add #[must_use] to Notified (#​6828)
• sync: make watch cooperative (#​6846)
• sync: make broadcast::Receiver cooperative (#​6870)
• task: add task size to tracing instrumentation (#​6881)
• wasm: enable cfg_fs for wasi target (#​6822)

Fixed

• net: fix regression of abstract socket path in unix socket (#​6838)

Documented

• io: recommend OwnedFd with AsyncFd (#​6821)
• io: document cancel safety of AsyncFd methods (#​6890)
• macros: render more comprehensible documentation for join and try_join (#​6814, #​6841)
• net: fix swapped examples for TcpSocket::set_nodelay and TcpSocket::nodelay (#​6840)
• sync: document runtime compatibility (#​6833)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

[codecov-commenter]

Codecov Report

:white_check_mark: All modified and coverable lines are covered by tests. :white_check_mark: Project coverage is 49.83%. Comparing base (7cc5581) to head (618b164).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2316      +/-   ##
==========================================
+ Coverage   43.30%   49.83%   +6.52%     
==========================================
  Files          38       38              
  Lines        2974     2974              
==========================================
+ Hits         1288     1482     +194     
+ Misses       1573     1343     -230     
- Partials      113      149      +36     

Flag	Coverage Δ
integration-test	16.76% <ø> (?)
integration-test-vm-${ARCH}-${KERNEL_VERSION}	0.00% <ø> (?)
k8s-integration-test	2.62% <ø> (?)
oats-test	0.00% <ø> (?)
unittests	43.30% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:

• :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[renovate-sh-app[bot]]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (1.28.1). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.