hyper

hyper 1.10.1 is a low-level HTTP/1 and HTTP/2 protocol implementation. No build.rs, no proc macros, no I/O of its own — sockets are delegated to user-supplied rt::Read/Write impls. HTTP/1 headers go through httparse; the chunked decoder uses checked arithmetic with bounded header/extension/trailer limits. unsafe is used in 16 files for MaybeUninit, pin projection, the C ABI, and tokio compat. One low-severity finding: some crate-internal unsafe fn helpers omit # Safety sections.

hyper 1.9.0, the foundational Rust HTTP/1 and HTTP/2 library. The audit reviewed the HTTP/1 framing and chunked-decoding paths (Transfer-Encoding-over-Content-Length precedence, overflow-checked lengths, bounded extensions and trailers), the HTTP/2 limits delegated to h2, and all 61 unsafe sites; source is byte-identical to VCS. No findings; no RustSec advisory affects the 1.x line.