fix: upgrade rand to 0.8.6 (RUSTSEC-2026-0097)#439
Conversation
Co-authored-by: Otto <otto@toolsforhumanity.com>
95f5909 to
69efce5
Compare
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
Summary
Upgrades
randfrom 0.8 to 0.8.6 to address RUSTSEC-2026-0097.Advisory
RUSTSEC-2026-0097: unsoundness in rand < 0.10.0 when
log+thread_rngfeatures are enabled and a custom logger accessesrand::rng().Changes
randfrom0.8to0.10inwalletkit-cli/Cargo.tomlandwalletkit-core/Cargo.tomlNote
Medium Risk
Large lockfile churn touches Ethereum (
alloy), TLS/HTTP, and crypto-adjacent crates; removing therandadvisory ignore increases the chance CI fails or a vulnerablerandversion remains in the graph if remediation is incomplete.Overview
Addresses RUSTSEC-2026-0097 by tightening the direct
randdependency and updating the dependency graph, rather than changing application RNG call sites.Direct
rand:walletkit-cliandwalletkit-corenow requirerand = "0.8.6"(was"0.8") for both normal and dev dependencies. Usage such asOsRng/RngCoreis unchanged.Policy: The
RUSTSEC-2026-0097entry is removed fromdeny.toml, socargo-denywill report that advisory again instead of ignoring it.Lockfile:
Cargo.lockis regenerated with a broad transitive refresh (e.g. alloy 2.0.4 → 2.1.1 including newalloy-ens, reqwest/hyper/TLS, quinn pullingrand0.10.2, semaphore-rs 0.5.4, wasm-bindgen bumps, and many routine patch updates). No Rust source files change in this diff.Note for reviewers: The PR description mentions upgrading direct
randto 0.10; the manifests in this diff still pin 0.8.6—worth confirming that matches the intended advisory remediation and thatcargo denypasses.Reviewed by Cursor Bugbot for commit 69efce5. Bugbot is set up for automated code reviews on this repo. Configure here.