https://crates.io/crates/httparse is a widely used HTTP parsing crate, most notably powering hyper and reqwest.

cargo-geiger shows the following when httparse is used via reqwest:

Functions  Expressions  Impls  Traits  Methods  Dependency
10/10      198/232      0/0    0/0     3/3      httparse 1.3.5

Unsafe code in parsers it quite dangerous. Binary format parsers are the poster children for memory safety vulnerabilities.

Text format parsers are a bit less dangerous, but having so much unsafe parsing code exposed to untrusted input is still scary.

The str::from_utf8_unchecked() invocations all look correct. The loops assert that every byte in the slice prior to the Bytes iterator's current position is valid, and the checks done on the bytes all imply that the prefix contains valid UTF-8.