I think we can ignore those recent warnings to release now.

Looking at the advisory on GitHub, only rustls servers are affected. This crate only uses rustls as a client. We can upgrade anyway, but I would not consider it urgent and would fix the CI first.

The RUSTSEC advisory is more generic: https://rustsec.org/advisories/RUSTSEC-2024-0336.html

If a close_notify alert is received during a handshake, complete_io does not terminate. Callers which do not call complete_io are not affected.

Is says handshake not just server, and complete_io is part of CommonConnection that is both used in sever code and client code.

The ureq devs make the same point, though complete_io is used in the ureq codebase: https://github.com/algesten/ureq/blob/f32a752cdbd9a9e2e9cca89b8df40512740f3523/src/rtls.rs#L108

The CI is fixed by #193

AFAIS the GitHub advisory is the original source and the RUSTSEC advisory is based on the GitHub advisory. I would assume that the details got lost in the process. Let’s just merge the clippy fix and then release the fix.