chore(deps): update rust crate tokio to v1.44.2 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
tokio (source)	dependencies	patch	1.44.1 → 1.44.2

---

Tokio broadcast channel calls clone in parallel, but does not require Sync

GHSA-rr8g-9fpq-6wmg

More information

Details

The broadcast channel internally calls clone on the stored value when receiving it, and only requires T:Send. This means that using the broadcast channel with values that are Send but not Sync can trigger unsoundness if the clone implementation makes use of the value being !Sync.

Thank you to Austin Bonander for finding and reporting this issue.

Severity

• CVSS Score: 2.7 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

• https://github.com/tokio-rs/tokio/pull/7232
• https://github.com/tokio-rs/tokio
• https://rustsec.org/advisories/RUSTSEC-2025-0023.html
• https://github.com/advisories/GHSA-rr8g-9fpq-6wmg

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

tokio-rs/tokio (tokio)

v1.44.2: Tokio v1.44.2

Compare Source

This release fixes a soundness issue in the broadcast channel. The channel
accepts values that are Send but !Sync. Previously, the channel called
clone() on these values without synchronizing. This release fixes the channel
by synchronizing calls to .clone() (Thanks Austin Bonander for finding and
reporting the issue).

Fixed

• sync: synchronize clone() call in broadcast channel (#​7232)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.