Skip to content

Update Rust crate hyper to 0.14 [SECURITY]#92

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/crate-hyper-vulnerability
Open

Update Rust crate hyper to 0.14 [SECURITY]#92
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/crate-hyper-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Dec 6, 2023
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Type Update Change
hyper (source) dependencies minor 0.100.14

Lenient Parsing of Content-Length Header When Prefixed with Plus Sign

CVE-2021-32715 / GHSA-f3pg-qwvg-p99c

More information

Details

Summary

hyper's HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a Content-Length header with a prefixed plus sign, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that doesn't parse such Content-Length headers, but forwards them, can result in "request smuggling" or "desync attacks".

Vulnerability

The flaw exists in all prior versions of hyper, if built with rustc v1.5.0 or newer.

Example:

GET / HTTP/1.1
Host: example.com
Content-Length: +3

abc

This request gets accepted and hyper reads the body as abc. The request should be rejected, according to RFC 7230, since the ABNF for Content-Length only allows for DIGITs. This is due to using the FromStr implementation for u64 in the standard library. By differing from the spec, it is possible to send requests like these to endpoints that have different HTTP implementations, with different interpretations of the payload semantics, and cause "desync attacks".

In this particular case, an upstream proxy would need to error when parsing the Content-Length, but not reject the request (swallowing its own error), and forwarding the request as-is with the Content-Length still included. Then the upstream proxy and hyper would disagree on the length of the request body. The combination of these factors would be extremely rare.

Read more about desync attacks: https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn

Impact

To determine if vulnerable, all these things must be true:

  • Using hyper as an HTTP server. While the lenient decoder also exists in the client, a vulnerability does not exist around responses.
  • Using HTTP/1. The HTTP/2 code uses a stricter parser.
  • Using a vulnerable HTTP proxy upstream to hyper. If an upstream proxy correctly rejects the illegal Content-Length header, OR can parse the length with the plus sign, the desync attack cannot succeed.
Patches

We have released the following patch versions:

  • v0.14.10 (to be released when this advisor is published)
Workarounds

Besides upgrading hyper, you can take the following options:

  • Reject requests manually that contain a plus sign prefix in the Content-Length header.
  • Ensure any upstream proxy handles Content-Length headers with a plus sign prefix.
Credits

This issue was initially reported by Mattias Grenfeldt and Asta Olofsson.

Severity

  • CVSS Score: 3.1 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Integer Overflow in Chunked Transfer-Encoding

CVE-2021-32714 / GHSA-5h46-h7hh-c6x9

More information

Details

Summary

hyper's HTTP server and client code had a flaw that could trigger an integer overflow when decoding chunk sizes that are too big. This allows possible data loss, or if combined with an upstream HTTP proxy that allows chunk sizes larger than hyper does, can result in "request smuggling" or "desync attacks".

Vulnerability

Example:

GET / HTTP/1.1
Host: example.com
Transfer-Encoding: chunked

f0000000000000003
abc
0

hyper only reads the rightmost 64-bit integer as the chunk size. So it reads f0000000000000003 as 3. A loss of data can occur since hyper would then read only 3 bytes of the body. Additionally, an HTTP request smuggling vulnerability would occur if using a proxy which instead has prefix truncation in the chunk size, or that understands larger than 64-bit chunk sizes.

Read more about desync attacks: https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn

Impact

To determine if vulnerable to data loss, these things must be true:

  • Using HTTP/1.1. Since HTTP/2 does not use chunked encoding, it is not vulnerable.
  • Using hyper as a server or client. The body would be improperly truncated in either case.
  • Users send requests or responses with chunk sizes greater than 18 exabytes.

To determine if vulnerable to desync attacks, these things must be true:

  • Using an upstream proxy that allows chunks sizes larger than 64-bit. If the proxy rejects chunk sizes that are too large, that request won't be forwarded to hyper.
Patches

We have released the following patch versions:

  • v0.14.10 (to be released when this advisory is published)
Workarounds

Besides upgrading hyper, you can take the following options:

  • Reject requests manually that contain a Transfer-Encoding header.
  • Ensure any upstream proxy rejects Transfer-Encoding chunk sizes greater than what fits in 64-bit unsigned integers.
Credits

This issue was initially reported by Mattias Grenfeldt and Asta Olofsson.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Parser creates invalid uninitialized value

GHSA-f67m-9j94-qv9j

More information

Details

Affected versions of this crate called mem::uninitialized() in the HTTP1 parser to create values of type httparse::Header (from the httparse crate).
This is unsound, since Header contains references and thus must be non-null.

The flaw was corrected by avoiding the use of mem::uninitialized(), using MaybeUninit instead.

Severity

High

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

hyperium/hyper (hyper)

v0.14.12

Compare Source

Bug Fixes
  • ffi: on_informational callback had no headers (39b6d01a)
  • http1: apply header title case for consecutive dashes (#​2613) (684f2fa7)
  • http2: improve errors emitted by HTTP2 Upgraded stream shutdown (#​2622) (be08648e)
Features

v0.14.11

Compare Source

Bug Fixes
  • client: retry when pool checkout returns closed HTTP2 connection (#​2585) (52214f39)
  • http2:
Features
  • ffi: add hyper_request_on_informational (25d18c0b)

v0.14.10

Compare Source

Bug Fixes
  • http1:
    • reject content-lengths that have a plus sign prefix (06335158)
    • protect against overflow in chunked decoder (efd9a982)
Features
  • ffi: add option to get raw headers from response (8c89a8c1)

v0.14.9

Compare Source

Bug Fixes
  • http1: reduce memory used with flatten write strategy (eb0c6463)

v0.14.8

Compare Source

Features
Performance
  • http2: reduce amount of adaptive window pings as BDP stabilizes (#​2550) (4cd06bf2)

v0.14.7

Compare Source

Bug Fixes
  • http1: http1_title_case_headers should move Builder (a303b3c3)
Features
  • server: implement forgotten settings for case preserving (4fd6c4cb)

v0.14.6

Compare Source

Features

v0.14.5

Compare Source

Bug Fixes
Features

v0.14.4

Compare Source

Bug Fixes
  • build: Fix compile error when only http1 feature was enabled.

v0.14.3

Compare Source

Bug Fixes
  • client: HTTP/1 client "Transfer-Encoding" repair code would panic (#​2410) (2c8121f1, closes #​2409)
  • http1: fix server misinterpreting multiple Transfer-Encoding headers (8f93123e)
Features

v0.14.2

Compare Source

Features

v0.14.1

Compare Source

Bug Fixes
  • http1: fix preserving header case without enabling ffi (#​2820) (6a35c175)
  • server: don't add implicit content-length to HEAD responses (#​2836) (67b73138)
Features
Breaking Changes
  • ffi (unstable):
    • hyper_clientconn_options_new no longer sets the http1_preserve_header_case connection option by default.
      Users should now call hyper_clientconn_options_set_preserve_header_case if they desire that functionality. (78de8914)

v0.14.0

Compare Source

Bug Fixes
Features
Breaking Changes

  • hyper depends on tokio v1 and bytes v1.

  • Custom resolvers used with HttpConnector must change
    to resolving to an iterator of SocketAddrs instead of IpAddrs.
    (b4e24332)

  • hyper no longer emits log records automatically.
    If you need hyper to integrate with a log logger (as opposed to tracing),
    you can add tracing = { version = "0.1", features = ["log"] } to activate them.
    (db32e105)

  • Removed http1_writev methods from client::Builder,
    client::conn::Builder, server::Builder, and server::conn::Builder.

    Vectored writes are now enabled based on whether the AsyncWrite
    implementation in use supports them, rather than though adaptive
    detection. To explicitly disable vectored writes, users may wrap the IO
    in a newtype that implements AsyncRead and AsyncWrite and returns
    false from its AsyncWrite::is_write_vectored method.
    (d6aadb83)

  • The method Body::on_upgrade() is gone. It is
    essentially replaced with hyper::upgrade::on(msg).
    (121c3313)

  • All optional features have been disabled by default.
    (ed2b22a7)

  • The HTTP server code is now an optional feature. To
    enable the server, add features = ["server"] to the dependency in
    your Cargo.toml.
    (bdb5e5d6)

  • The HTTP client of hyper is now an optional feature. To
    enable the client, add features = ["client"] to the dependency in
    your Cargo.toml.
    (4e55583d)

  • This puts all HTTP/1 methods and support behind an
    http1 cargo feature, which will not be enabled by default. To use
    HTTP/1, add features = ["http1"] to the hyper dependency in your
    Cargo.toml.

(2a19ab74)

  • This puts all HTTP/2 methods and support behind an
    http2 cargo feature, which will not be enabled by default. To use
    HTTP/2, add features = ["http2"] to the hyper dependency in your
    Cargo.toml.

(b819b428)

v0.13.9 (2020-11-02)
Bug Fixes
Features
  • client:
    • add HttpConnector::set_local_addresses to set both IPv6 and IPv4 local addrs ( (fb19f3a8)
    • Add accessors to Connected fields (#​2290) (2dc9768d)
v0.13.8 (2020-09-18)
Bug Fixes
Features
v0.13.7 (2020-07-13)
Bug Fixes
  • client: don't panic in DNS resolution when task cancelled (#​2229) (0d0d3635)
Features
  • client: impl tower_service::Service for &Client (#​2089) (77c3b5bc)
  • http2: configure HTTP/2 frame size in the high-level builders too (#​2214) (2354a7ee)
  • lib: Move from log to tracing in a backwards-compatible way (#​2204) (9832aef9)
v0.13.6 (2020-05-29)
Features
  • body: remove Sync bound for Body::wrap_stream (042c7706)
  • http2: allow configuring the HTTP/2 frame size (b6446456)
v0.13.5 (2020-04-17)
Bug Fixes
  • server: fix panic in Connection::graceful_shutdown (fce3ddce)
v0.13.4 (2020-03-20)
Bug Fixes
  • http1: try to drain connection buffer if user drops Body (d838d54f)
Features
  • http2: add HTTP2 keep-alive support for client and server (9a8413d9)
v0.13.3 (2020-03-03)
Features
v0.13.2 (2020-01-29)
Bug Fixes
  • body: return exactly 0 SizeHint for empty body (#​2122) (dc882047)
  • client: strip path from Uri before calling Connector (#​2109) (ba2a144f)
  • http1:
  • http2: don't add client content-length if method doesn't require it (fb90d30c)
Features
  • service: Implement Clone/Copy on ServiceFn and MakeServiceFn (#​2104) (a5720fab)
v0.13.1 (2019-12-13)
Bug Fixes
  • http1: fix response with non-chunked transfer-encoding to be close-delimited (cb71d2cd, closes #​2058)
Features
  • body: implement HttpBody for Request and Response (4b6099c7, closes #​2067)
  • client: expose hyper::client::connect::Connect trait alias (2553ea1a)

v0.13.10

Compare Source

Bug Fixes

v0.13.9

Compare Source

Bug Fixes
Features
  • client:
    • add HttpConnector::set_local_addresses to set both IPv6 and IPv4 local addrs ( (fb19f3a8)
    • Add accessors to Connected fields (#​2290) (2dc9768d)

v0.13.8

Compare Source

Bug Fixes
Features

v0.13.7

Compare Source

Bug Fixes
  • client: don't panic in DNS resolution when task cancelled (#​2229) (0d0d3635)
Features
  • client: impl tower_service::Service for &Client (#​2089) (77c3b5bc)
  • http2: configure HTTP/2 frame size in the high-level builders too (#​2214) (2354a7ee)
  • lib: Move from log to tracing in a backwards-compatible way (#​2204) (9832aef9)

v0.13.6

Compare Source

Features
  • body: remove Sync bound for Body::wrap_stream (042c7706)
  • http2: allow configuring the HTTP/2 frame size (b6446456)

v0.13.5

Compare Source

Bug Fixes
  • server: fix panic in Connection::graceful_shutdown (fce3ddce)

v0.13.4

Compare Source

Bug Fixes
  • http1: try to drain connection buffer if user drops Body (d838d54f)
Features
  • http2: add HTTP2 keep-alive support for client and server (9a8413d9)

v0.13.3

Compare Source

Features

v0.13.2

Compare Source

Bug Fixes
  • body: return exactly 0 SizeHint for empty body (#​2122) (dc882047)
  • client: strip path from Uri before calling Connector (#​2109) (ba2a144f)
  • http1:
  • http2: don't add client content-length if method doesn't require it (fb90d30c)
Features
  • service: Implement Clone/Copy on ServiceFn and MakeServiceFn (#​2104) (a5720fab)

v0.13.1

Compare Source

Bug Fixes
  • http1: fix response with non-chunked transfer-encoding to be close-delimited (cb71d2cd, closes #​2058)
Features
  • body: implement HttpBody for Request and Response (4b6099c7, closes #​2067)
  • client: expose hyper::client::connect::Connect trait alias (2553ea1a)

v0.13.0

Compare Source

Bug Fixes
  • client:
    • fix polling dispatch channel after it has closed (039281b8)
    • fix panic from unreachable code (e6027bc0)
  • dependencies: require correct bytes minimum version (#​1975) (536b1e18)
  • server:
Features
  • body:
    • change Sender::send_data to an async fn. (62a96c07)
    • require Sync when wrapping a dynamic Stream (44413721)
    • add body::aggregate and body::to_bytes functions (8ba9a8d2)
    • replace Chunk type with Bytes (5a598757, closes #​1931)
    • replace the Payload trait with HttpBody (c63728eb)
  • client:
    • impl tower_service::Service for Client (edbd10ac)
    • provide tower::Service support for clients (#​1915) (eee2a728)
    • change connectors to return an impl Connection (4d7a2266)
    • remove Destination for http::Uri in connectors (319e8aee)
    • filter remote IP addresses by family of given local IP address (131962c8)
    • change Resolve to be Service<Name> (9d9233ce, closes #​1903)
    • change Connect trait into an alias for Service (d67e49f1, closes #​1902)
    • change GaiResolver to use a global blocking threadpool (049b5132)
    • Add connect timeout to HttpConnector (#​1972) (4179297a)
  • lib:
    • update to std::future::Future (8f4b05ae)
    • add optional tcp feature, split from runtime (5b348b82)
    • make Stream trait usage optional behind the stream feature, enabled by default (0b03b730, closes #​2034)
    • update Tokio, bytes, http, h2, and http-body (cb3f39c2)
  • rt: introduce rt::Executor trait (6ae5889f, closes #​1944)
  • server:
    • introduce Accept trait (b3e55062)
    • give Server::local_addr a more general type (3cc93e79)
    • change http1_half_close option default to disabled (7e31fd88)
  • service:
    • use tower_service::Service for hyper::service (ec520d56)
    • rename Service to HttpService, re-export tower::Service (4f274399, closes #​1959)
Breaking Changes
  • All usage of async traits (Future, Stream,
    AsyncRead, AsyncWrite, etc) are updated to newer versions.

(8f4b05ae)

  • All usage of hyper::Chunk should be replaced with
    bytes::Bytes (or hyper::body::Bytes).

(5a598757)

  • Using a Body as a Stream, and constructing one via
    Body::wrap_stream, require enabling the stream feature.

(511ea388)

  • Calls to GaiResolver::new and HttpConnector::new no
    longer should pass an integer argument for the number of threads.

(049b5132)

  • Connectors no longer return a tuple of
    (T, Connected), but a single T: Connection.

(4d7a2266)

  • All usage of hyper::client::connect::Destination
    should be replaced with http::Uri.

(319e8aee)

  • All usage of hyper::body::Payload should be replaced
    with hyper::body::HttpBody.

(c63728eb)

  • Any type passed to the executor builder methods must
    now implement hyper::rt::Executor.

    hyper::rt::spawn usage should be replaced with tokio::task::spawn.

    hyper::rt::run usage should be replaced with #[tokio::main] or
    managing a tokio::runtime::Runtime manually.

(6ae5889f)

  • The Resolve trait is gone. All custom resolvers should
    implement tower::Service instead.

    The error type of HttpConnector has been changed away from
    std::io::Error.

(9d9233ce)

  • Any manual implementations of Connect must instead
    implement tower::Service<Uri>.

(d67e49f1)

  • The server's behavior will now by default close
    connections when receiving a read EOF. To allow for clients to close
    the read half, call http1_half_close(true) when configuring a
    server.

(7e31fd88)

  • Passing a Stream to Server::builder or
    Http::serve_incoming must be changed to pass an Accept instead. The
    stream optional feature can be enabled, and then a stream can be
    converted using hyper::server::accept::from_stream.

(b3e55062)

  • Usage of send_data should either be changed to
    async/await or use try_send_data.

(62a96c07)

v0.12.35 (2019-09-13)
Features
  • body: identify aborted body write errors (32869224)
v0.12.34 (2019-09-04)
Bug Fixes
  • client: allow client GET requests with explicit body headers (23fc8b08, closes #​1925)
v0.12.33 (2019-09-04)
v0.12.32 (2019-07-08)
Features
  • client: HttpConnector: allow to set socket buffer sizes (386109c4)
v0.12.31 (2019-06-25)
v0.12.30 (2019-06-14)
Bug Fixes
  • http1: force always-ready connections to yield after a few spins (8316f96d)
  • http2: correctly propagate HTTP2 request cancellation (50198851)
v0.12.29 (2019-05-16)
Bug Fixes
  • server: skip automatic Content-Length header for HTTP 304 responses (b342c38f, closes #​1797)
Features
v0.12.28 (2019-04-29)
Bug Fixes
  • client:
    • detect HTTP2 connection closures sooner (e0ec5cad)
    • fix a rare connection pool race condition (4133181b)
Features
v0.12.27 (2019-04-10)
Bug Fixes
  • http2: fix import of h2::Reason to work on 1.26 (5680d944)
v0.12.26 (2019-04-09)
Bug Fixes
  • http2: send a GOAWAY when the user's Service::poll_ready errors (42c5efc0)
  • server: prohibit the length headers on successful CONNECT (d1501a0f, closes #​1783)
Features
  • http2: check Error::source() for an HTTP2 error code to send in reset (fc18b680)
v0.12.25 (2019-03-01)
Bug Fixes
  • client: coerce HTTP_2 requests to HTTP_11 (3a6080b1, closes #​1770)
  • http2: send INTERNAL_ERROR when user's Service errors (8f926a0d)
Features
v0.12.24 (2019-02-11)
Bug Fixes
  • client: fix panic when CONNECT request doesn't have a port (d16b2c30)
Features
  • server:
    • add http1_max_buf_size in the server::Builder

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies label Dec 6, 2023
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Dec 6, 2023
edited
Loading

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock
Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --package hyper@0.10.16 --precise 0.14.12
    Updating crates.io index
error: failed to select a version for the requirement `hyper = "^0.10"`
candidate versions found which didn't match: 0.14.12
location searched: crates.io index
required by package `hyper-native-tls v0.3.0`
    ... which satisfies dependency `hyper-native-tls = "^0.3.0"` (locked to 0.3.0) of package `kubecfg v0.2.0 (/tmp/renovate/repos/github/anguslees/kubecfg)`
perhaps a crate was updated and forgotten to be re-vendored?

@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch from df900ea to ae08c61 Compare December 12, 2023 06:27
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch from ae08c61 to 43eb483 Compare December 19, 2023 07:19
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch 2 times, most recently from 3aba5cd to b9a38a7 Compare January 2, 2024 07:04
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch from b9a38a7 to eb103f5 Compare January 9, 2024 06:03
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch 2 times, most recently from f72206c to 7e19e34 Compare January 23, 2024 06:39
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch from 7e19e34 to 6751886 Compare February 6, 2024 06:09
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch 2 times, most recently from 8eb5c80 to f75d9dd Compare February 20, 2024 03:31
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch 2 times, most recently from 9bdcdd5 to 6a7cecb Compare March 5, 2024 03:04
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch from 6a7cecb to 57d5fd8 Compare March 12, 2024 08:39
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch from 57d5fd8 to 6f71f9a Compare March 26, 2024 07:17
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch 2 times, most recently from 85a3167 to 522905d Compare April 9, 2024 07:21
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch from 522905d to 4352a20 Compare April 16, 2024 07:39
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch 4 times, most recently from 8bb4e1f to 4a9dc4d Compare April 30, 2024 07:35
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch 6 times, most recently from 71e0f0f to 4505618 Compare May 7, 2024 06:24
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch from 0a5f06c to 0eca9b5 Compare July 16, 2024 07:38
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch 2 times, most recently from ae8bd48 to 0f8ce9f Compare July 30, 2024 09:39
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch 2 times, most recently from c06c31b to b01053a Compare August 13, 2024 08:33
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch 2 times, most recently from e914f18 to 8504d32 Compare August 27, 2024 06:31
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch 2 times, most recently from d044220 to 220af2a Compare September 10, 2024 07:37
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch 2 times, most recently from 352f082 to 740766b Compare September 24, 2024 07:15
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch from 740766b to 5fb5114 Compare October 1, 2024 06:15
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch 2 times, most recently from e4d8f70 to 74d5dd6 Compare October 9, 2024 13:23
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch 2 times, most recently from 65c588d to 41e3085 Compare October 22, 2024 08:09
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch from 41e3085 to 1a10498 Compare October 24, 2024 21:26
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch 2 times, most recently from 8641ac3 to db35bda Compare November 12, 2024 06:02
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch from db35bda to bb01b08 Compare November 19, 2024 06:52
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch 2 times, most recently from 727a458 to 98e3f41 Compare December 3, 2024 06:24
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch 2 times, most recently from 46f747c to a4623ca Compare December 17, 2024 08:00
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch 2 times, most recently from a36803f to 99e2a67 Compare December 31, 2024 07:23
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch 2 times, most recently from 2866092 to 66fa20a Compare January 14, 2025 09:06
@renovate renovate Bot force-pushed the renovate/crate-hyper-vulnerability branch from 66fa20a to bb1de21 Compare January 16, 2025 00:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@anguslees anguslees

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@anguslees