Code published.
Vulnerabilities reported.
At the heart of Rust.

M4SS is an active player in improving Rust, not a passive spectator.

The numbers behind the upstream work.

Our code at the service of the community: over 1,100 Pull Requests merged across more than 290 public repositories with an 87.7% merge rate. Six RustSec advisories published on the official Rust security advisory database. Maintainer of lettre, the Rust SMTP library in production across thousands of projects.

Published tools

After writing them, refining them, using them in production, testing and documenting them. Only at the end do we release them under an Open Source license.

  • watermelon: a NATS® client entirely in Rust, an alternative to Synadia's official async-nats client. In internal production on the S451 platform.
  • cargo-goggles: a tool that verifies the reproducibility of Cargo crate builds, i.e. that the content published on crates.io is rebuildable from the official git repositories.
  • massping: an asynchronous library for ICMP pinging multiple hosts in parallel, built on the tokio runtime. It uses Linux ping sockets, so no root privileges needed.
  • static-serve: an axum extension that compresses static assets and embeds them into the binary at compile time. One executable, no files to carry around.
  • benzina: a diesel ORM extension that adds the missing bindings between Rust and Postgres: enums, arrays, UUIDs, JSON plus support for unsigned integers. Less boilerplate, stronger typing.
  • cerniera: a zero-copy ZIP encoder. It never touches the data: it only writes the ZIP framing around the content. The I/O is up to you: sendfile, mmap, or whatever you prefer.
  • range-requests: parses and validates HTTP Range headers and prepares the partial response. Essential for restarting downloads and streams from the right point.
  • deps.rs: a platform for analyzing and providing transparency on Cargo dependencies. M4SS sponsors its hosting.

For the Rust community.

We actively participate in and invest in Open Source code. You'll find all our contributions on the GitHub organization M4SS-Code.

RustSec Advisories

Six vulnerabilities published on the official Rust security registry:

  • RUSTSEC-2021-0069 in lettre
  • RUSTSEC-2023-0027 and RUSTSEC-2023-0029 in nats.rs
  • RUSTSEC-2024-0400 in zstd-rs
  • RUSTSEC-2025-0132 in maxminddb-rust
  • RUSTSEC-2026-0002 in lru-rs

To these we add responsible disclosures with fixes merged upstream: TLS bypass in nats.rs, NATS® command injection, fixes in tokio-rs, reqwest, tungstenite-rs. In the case of zstd-rs: advisory published, fix written and propagation into the Rust compiler within 24 hours.

Contributions

We contribute regularly to the core libraries of the ecosystem. When a library we use has a problem, we usually end up fixing it upstream and sending the fix.

  • rust-lang/rust: the Rust compiler itself
  • tokio-rs/tokio: the reference async runtime
  • seanmonstar/reqwest: HTTP client
  • rust-lang/futures-rs: async iterators and futures
  • tokio-rs/bytes: I/O buffers for async Rust
  • hyperium/hyper: low-level HTTP
  • rust-postgres/rust-postgres: PostgreSQL® client
  • deps-rs/deps.rs: analysis and transparency of Cargo dependencies

Library maintainer

M4SS is maintainer of lettre, the reference Rust library for email encoding and the SMTP protocol, in production across thousands of projects. We maintain releases, welcome community Pull Requests, and respond to issues. M4SS is also co-maintainer of rust-postgres (the reference PostgreSQL® client).

# #

Let's talk.

Want to audit your supply chain or adopt Rust in your project?

CONTACT US
# #