Trivy scans my project and finds a CVE. When I look at it, the dependency comes in from reqwest which in turn uses hyper-tls that has the dependency. In hyper-tls, the Cargo.toml specifies version ^1 so I guess a simple update and rebuild would include a higher Tokio version that isn't affected by the CVE. I would contribute this as a PR but it seems to me (a Rust noob) that there is no coding involved.
packages/myproject/Cargo.lock (cargo)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬───────────────────┬────────────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼───────────────────┼────────────────────────┼───────────────────────────────────────────────────────────┤
│ tokio │ CVE-2023-22466 │ MEDIUM │ 1.22.0 │ 1.23.1, 1.20.3, 1.18.4 │ Tokio reject_remote_clients configuration may get dropped │
│ │ │ │ │ │ when creating a Windows named pipe... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-22466 │
└─────────┴────────────────┴──────────┴───────────────────┴────────────────────────┴───────────────────────────────────────────────────────────┘