Open-Source Wikis

/

Pingora

/

Reference

/

Dependencies

cloudflare/pingora

Dependencies

The workspace dependencies pinned in the root Cargo.toml:

Dependency Version Why
tokio 1 Async runtime
tokio-stream 0.1 Async iterators over streams
async-trait 0.1.42 async fn in traits (still needed for some patterns even after stabilization)
httparse 1 HTTP/1 byte-level parser
bytes 1.0 Zero-copy byte buffers
derivative 2.2.0 Procedural derive for non-stdlib traits
http 1 HTTP types (Request, Response, HeaderMap)
log 0.4 Logging facade
h2 >=0.4.11 HTTP/2 implementation. Floor pinned for security fix.
once_cell 1 Lazy statics
lru 0.16.3 LRU cache. Floor pinned because of RUSTSEC-2026-0002.
ahash >=0.8.9 Fast non-cryptographic hash
bstr 1.12.0 Byte-string (used for header values, more recent — added in 0.7.0 for header formatting)

Per-crate notable dependencies

pingora-core

  • serde + serde_yaml — config parsing
  • clap 4.5 — CLI
  • daemonize 0.5 — Unix daemonization (Linux/macOS)
  • nix ~0.24 — Unix syscalls
  • parking_lot 0.12 — better mutexes
  • socket2 >=0.4 — low-level socket options
  • flate2 1 (with zlib-ng) — deflate
  • brotli 3 — brotli compression
  • zstd 0 — zstd compression
  • chrono ~0.4.31 — date/time (HTTP date)
  • httpdate 1 — RFC 7231 date parsing
  • sfv 0.10.4 — Structured Field Values (RFC 8941)
  • daggy 0.8 — DAG for the service dependency graph
  • flurry 0.5 — concurrent hashmap (Unix only)
  • windows-sys 0.59 — Windows-specific networking
  • sentry 0.36 (optional) — error reporting
  • x509-parser 0.16 (optional, rustls/s2n) — cert parsing
  • ouroboros 0.18 (optional) — self-referential structs

pingora-cache

  • Internal: tinyufo, pingora-lru
  • flurry (concurrent hashmap)
  • strumIntoStaticStr for cache phase labels

pingora-proxy

  • Almost entirely uses pingora-core types.
  • futures 0.3 for BoxFuture

pingora-runtime

  • Just tokio + a tiny wrapper.

pingora-load-balancing

  • pingora-ketama for consistent hashing
  • pingora-core for Peer

Test/dev

  • tokio-test
  • rstest 0.23
  • reqwest 0.11 (with rustls)
  • hyper 0.14
  • criterion for benchmarks

Dependency hygiene

.github/workflows/audit.yml runs cargo audit on every push. Known-vulnerable transitive dependencies are surfaced as PR-blocking errors.

The lru floor (>=0.16.3) and h2 floor (>=0.4.11) are explicit security pins.

The atty crate was removed in 0.7.0 because of an unresolved security advisory.

Rust edition

Every crate is edition = "2021". There's an explicit avoidance of pushing to edition = "2024" because some downstream users use older toolchains. The 0.7.0 release tightened rmp and rmp-serde version constraints to prevent forcing consumers to adopt the 2024 edition.

See also

  • The root Cargo.toml — workspace dep table
  • Per-crate Cargo.toml files — crate-specific deps
  • Toolingcargo audit, Semgrep

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Dependencies – Pingora wiki | Factory