Skip to content

chore(deps): bump rand from 0.9.4 to 0.10.2#175

Merged
hyperpolymath merged 3 commits into
mainfrom
dependabot/cargo/rand-0.10.2
Jul 10, 2026
Merged

chore(deps): bump rand from 0.9.4 to 0.10.2#175
hyperpolymath merged 3 commits into
mainfrom
dependabot/cargo/rand-0.10.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Contributor

Bumps rand from 0.9.4 to 0.10.2.

Changelog

Sourced from rand's changelog.

[0.10.2] — 2026-07-02

Fixes

  • Fix possible memory safety violation due to deserialization of UniformChar from bad source (#1790)

Changes

  • Document required output order of fn partial_shuffle and apply #[must_use] (#1769)
  • Avoid usage of unsafe in contexts where non-local memory corruption could invalidate contract (#1791)

#1769: rust-random/rand#1769 #1790: rust-random/rand#1790 #1791: rust-random/rand#1791

[0.10.1] — 2026-02-11

This release includes a fix for a soundness bug; see #1763.

Changes

  • Document panic behavior of make_rng and add #[track_caller] (#1761)
  • Deprecate feature log (#1763)

#1761: rust-random/rand#1761 #1763: rust-random/rand#1763

[0.10.0] - 2026-02-08

Changes

  • The dependency on rand_chacha has been replaced with a dependency on chacha20. This changes the implementation behind StdRng, but the output remains the same. There may be some API breakage when using the ChaCha-types directly as these are now the ones in chacha20 instead of rand_chacha (#1642).
  • Rename fns IndexedRandom::choose_multiple -> sample, choose_multiple_array -> sample_array, choose_multiple_weighted -> sample_weighted, struct SliceChooseIter -> IndexedSamples and fns IteratorRandom::choose_multiple -> sample, choose_multiple_fill -> sample_fill (#1632)
  • Use Edition 2024 and MSRV 1.85 (#1653)
  • Let Fill be implemented for element types, not sliceable types (#1652)
  • Fix OsError::raw_os_error on UEFI targets by returning Option<usize> (#1665)
  • Replace fn TryRngCore::read_adapter(..) -> RngReadAdapter with simpler struct RngReader (#1669)
  • Remove fns SeedableRng::from_os_rng, try_from_os_rng (#1674)
  • Remove Clone support for StdRng, ReseedingRng (#1677)
  • Use postcard instead of bincode to test the serde feature (#1693)
  • Avoid excessive allocation in IteratorRandom::sample when amount is much larger than iterator size (#1695)
  • Rename os_rng -> sys_rng, OsRng -> SysRng, OsError -> SysError (#1697)
  • Rename Rng -> RngExt as upstream rand_core has renamed RngCore -> Rng (#1717)

Additions

  • Add fns IndexedRandom::choose_iter, choose_weighted_iter (#1632)
  • Pub export Xoshiro128PlusPlus, Xoshiro256PlusPlus prngs (#1649)
  • Pub export ChaCha8Rng, ChaCha12Rng, ChaCha20Rng behind chacha feature (#1659)
  • Fn rand::make_rng() -> R where R: SeedableRng (#1734)

Removals

  • Removed ReseedingRng (#1722)
  • Removed unused feature "nightly" (#1732)
  • Removed feature small_rng (#1732)

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [rand](https://github.com/rust-random/rand) from 0.9.4 to 0.10.2.
- [Release notes](https://github.com/rust-random/rand/releases)
- [Changelog](https://github.com/rust-random/rand/blob/master/CHANGELOG.md)
- [Commits](rust-random/rand@0.9.4...0.10.2)

---
updated-dependencies:
- dependency-name: rand
  dependency-version: 0.10.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Jul 8, 2026
Signed-off-by: Jonathan D.A. Jewell <6759885+hyperpolymath@users.noreply.github.com>
@hyperpolymath
hyperpolymath merged commit 0d17a10 into main Jul 10, 2026
26 of 27 checks passed
@hyperpolymath
hyperpolymath deleted the dependabot/cargo/rand-0.10.2 branch July 10, 2026 00:09
@sonarqubecloud

Copy link
Copy Markdown

hyperpolymath added a commit that referenced this pull request Jul 10, 2026
… build (#181)

## Summary

Two follow-ups that green `main` after #180 and #175. Neither is a real
defect in application logic — one is a scanner false-positive, the other
a bad dependency bump.

### 1. Secret-scanner false positives (from #180)

The `bt-presence` crate vendored burble's conformance vectors
(`ble-spa-v1.json`), which hold burble's **published non-production HMAC
test keys** as hex strings — the file header literally says *"Fixed
non-production secrets."* Gitleaks / SonarCloud / hypatia all
pattern-match 64-char hex as `generic-api-key`, so this turned
**SonarCloud** ("E Security Rating on New Code") and the **hypatia
baseline** red and posted ~28 Gitleaks comments. **No real credential
was ever committed.**

Fixed **without suppressing any scanner**: dropped the vendored JSON and
transcribed the 3 `presence` vectors this crate actually tests against
as Rust **byte-array constants** in `tests/vectors.rs` (same burble
commit `2b5914b`, provenance documented). Byte arrays are unambiguously
wire test-data, not credentials, so **no `.gitleaksignore`, no
SonarCloud exclusion, no hypatia baseline entry** is needed — your
secret detection stays fully armed for real secrets. The byte-exact
conformance proof is unchanged: `presence_beacon_id_is_byte_exact` still
reproduces burble's independent oracle. Also dropped the now-unused
`serde_json` dev-dep and refreshed `vendor/PROVENANCE.adoc` +
`STATE.a2ml` (test count 174 → 173).

### 2. Build breakage (from #175)

Dependabot re-bumped `rand` 0.9 → 0.10.2 (#175), which does **not
compile** against `ndarray-rand 0.16` (Distribution/Rng trait mismatch)
— exactly the break the workspace comment documents and #154 reverted
before. `main` currently fails to build (`esn`: `E0277`/`E0599`).
Reverted the workspace pin to `rand 0.9` (lock → 0.9.4); the full
workspace builds again.

## RSR Quality Checklist

- [x] Tests pass — full workspace `cargo build` green; `cargo test -p
bt-presence` 11 unit + 2 conformance green
- [x] Formatted (`cargo fmt --check`) — clean
- [x] Linter clean (`cargo clippy --all-targets -- -D warnings`) — clean
- [x] No banned language patterns
- [x] No `unsafe` — `#[forbid(unsafe_code)]`
- [x] SPDX headers present
- [x] **No secrets** — the vendored hex-string test keys are removed;
zero secret-shaped hex strings remain in the crate
- [x] `STATE.a2ml` updated

## Testing

```
cargo build --workspace                 # Finished (esn compiles again)
cargo test -p bt-presence               # 11 unit + 2 conformance — pass
cargo clippy -p bt-presence --all-targets -- -D warnings   # clean
cargo fmt --check                       # clean
grep -rE '"[a-f0-9]{32,}"' crates/bt-presence   # NONE
```

## FLAGS / owner-manual

- **Dependabot will keep re-bumping `rand` to 0.10** (this is the 2nd
time). Recommend a `dependabot.yml` ignore for `rand` (and/or
`rand_distr`) until `ndarray-rand` ships a 0.10-compatible release —
otherwise the build re-breaks on the next bump.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

https://claude.ai/code/session_0172RBMz3qYjb1ttzD2i7RNh

---
_Generated by [Claude
Code](https://claude.ai/code/session_0172RBMz3qYjb1ttzD2i7RNh)_

Co-authored-by: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant