The article's usage of "unsafe" seems to be a bit more general than Rust's specific concept of memory safety, hence the confusion. `to_bytes()` is marked safe in Rust code, and it is memory-safe in Rust's terms: you've just asked for a memory block of arbitrary size, there is no undefined behavior. But real-world safety is a bit more general than that, and given Rust's reliance of npm-style package management with lots of dependencies these issues can be exacerbated in scale.

I don't think Hyper itself was the problem though, frameworks like Axum are where things should be fixed. Hyper is intended to be used as a low-level library, so it should allocate exactly what size the programmer requested and the responsibility of length checking should be the system programmer's burden.

That is quite common in some Rust communities that go beyond what unsafe is supposed to do, and see everything that might be wrong usage as unsafe.

Ideally they want to be using formal methods, dependent typing, but instead bring that to Rust and put unsafe even on code that doesn't do anything related to low level memory handling or concurrency.