#1139958 rust-http-types: RUSTSEC-2026-0174: Authorization::value and WwwAuthenticate::value can violate ASCII invariants

Package:
src:rust-http-types
Source:
src:rust-http-types
Submitter:
Salvatore Bonaccorso
Date:
2026-06-16 07:11:01 UTC
Severity:
normal
Tags:
#1139958#5
Date:
2026-06-14 05:48:34 UTC
From:
To:
From https://rustsec.org/advisories/RUSTSEC-2026-0174.html

Given the last statement this is more about tracking.

Can the package OTOH be worked towards beeing removed?

Regards,
Salvatore
#1139958#10
Date:
2026-06-16 01:49:56 UTC
From:
To:
Reverse dependencies seem to be async-h1 and http-cache.

I asked weepingclown about removal of http-types and async-h1
5 months ago and he said. "they all fall under the zellij tree,
so I'll need to keep them."
http-cache seems to be a recent intoduction by capitol. It looks
like http-types support is optional so perhaps we can patch it
out.

ccing weepingclown and capitol for their opinions.
#1139958#15
Date:
2026-06-16 07:08:11 UTC
From:
To:
Hi,

async-h1 doesn't have any rdeps at the moment, so let's just work
towards removing it. No point in keeping a vulnerability around. This
also might have been a dependency for surf (which in turn was
originally needed for zellij) which I managed to drop from the
dependencies, so maybe I also wouldn't get affected.