Bump rand from 0.8.5 to 0.9.3 #7

Merged

dependabot[bot] merged 2 commits from dependabot/cargo/rand-0.9.3 into main

2026-04-15 20:19:04 +00:00

dependabot[bot] commented

2026-04-14 03:32:52 +00:00

(Migrated from github.com)

Bumps rand from 0.8.5 to 0.9.3.

Changelog

Sourced from rand's changelog.

[0.9.3] — 2026-02-11

This release back-ports a fix from v0.10. See also #1763.

Changes

Deprecate feature log (#1764)

Replace usages of doc_auto_cfg (#1764)

#1763: rust-random/rand#1763

[0.9.2] — 2025-07-20

Deprecated

Deprecate rand::rngs::mock module and StepRng generator (#1634)

Additions

Enable WeightedIndex<usize> (de)serialization (#1646)

[0.9.1] - 2025-04-17

Security and unsafe

Revise "not a crypto library" policy again (#1565)

Remove zerocopy dependency from rand (#1579)

Fixes

Fix feature simd_support for recent nightly rust (#1586)

Changes

Allow fn rand::seq::index::sample_weighted and fn IndexedRandom::choose_multiple_weighted to return fewer than amount results (#1623), reverting an undocumented change (#1382) to the previous release.

Additions

Add rand::distr::Alphabetic distribution. (#1587)

Re-export rand_core (#1604)

[0.9.0] - 2025-01-27

Security and unsafe

Policy: "rand is not a crypto library" (#1514)

Remove fork-protection from ReseedingRng and ThreadRng. Instead, it is recommended to call ThreadRng::reseed on fork. (#1379)

Use zerocopy to replace some unsafe code (#1349, #1393, #1446, #1502)

Dependencies

Bump the MSRV to 1.63.0 (#1207, #1246, #1269, #1341, #1416, #1536); note that 1.60.0 may work for dependents when using --ignore-rust-version

Update to rand_core v0.9.0 (#1558)

Features

Support std feature without getrandom or rand_chacha (#1354)

Enable feature small_rng by default (#1455)

Remove implicit feature rand_chacha; use std_rng instead. (#1473)

Rename feature serde1 to serde (#1477)

Rename feature getrandom to os_rng (#1537)

Add feature thread_rng (#1547)

API changes: rand_core traits

... (truncated)

Commits

1aeee9f Prepare v0.9.3: deprecate feature log (#1764)
98473ee Prepare rand 0.9.2 (#1648)
031a1f5 examples/print-next.rs (#1647)
6cb75ee Make UniformUsize serializable (#1646)
0c955c5 Add some tests for BlockRng, BlockRng64 and Xoshiro RNGs (#1639)
204084a Fix: Remove accidental editor swap file (#1636)
86262ac Deprecate rand::rngs::mock module and StepRng (#1634)
a6e217f Update statrs link (#1630)
db993ec Prepare rand v0.9.1 (#1629)
3057641 Remove zerocopy from rand (#1579)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [rand](https://github.com/rust-random/rand) from 0.8.5 to 0.9.3. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rust-random/rand/blob/0.9.3/CHANGELOG.md">rand's changelog</a>.</em></p> <blockquote> <h2>[0.9.3] — 2026-02-11</h2> <p>This release back-ports a fix from v0.10. See also <a href="https://redirect.github.com/rust-random/rand/issues/1763">#1763</a>.</p> <h3>Changes</h3> <ul> <li>Deprecate feature <code>log</code> (<a href="https://redirect.github.com/rust-random/rand/issues/1764">#1764</a>)</li> <li>Replace usages of <code>doc_auto_cfg</code> (<a href="https://redirect.github.com/rust-random/rand/issues/1764">#1764</a>)</li> </ul> <p><a href="https://redirect.github.com/rust-random/rand/issues/1763">#1763</a>: <a href="https://redirect.github.com/rust-random/rand/pull/1763">rust-random/rand#1763</a></p> <h2>[0.9.2] — 2025-07-20</h2> <h3>Deprecated</h3> <ul> <li>Deprecate <code>rand::rngs::mock</code> module and <code>StepRng</code> generator (<a href="https://redirect.github.com/rust-random/rand/issues/1634">#1634</a>)</li> </ul> <h3>Additions</h3> <ul> <li>Enable <code>WeightedIndex<usize></code> (de)serialization (<a href="https://redirect.github.com/rust-random/rand/issues/1646">#1646</a>)</li> </ul> <h2>[0.9.1] - 2025-04-17</h2> <h3>Security and unsafe</h3> <ul> <li>Revise "not a crypto library" policy again (<a href="https://redirect.github.com/rust-random/rand/issues/1565">#1565</a>)</li> <li>Remove <code>zerocopy</code> dependency from <code>rand</code> (<a href="https://redirect.github.com/rust-random/rand/issues/1579">#1579</a>)</li> </ul> <h3>Fixes</h3> <ul> <li>Fix feature <code>simd_support</code> for recent nightly rust (<a href="https://redirect.github.com/rust-random/rand/issues/1586">#1586</a>)</li> </ul> <h3>Changes</h3> <ul> <li>Allow <code>fn rand::seq::index::sample_weighted</code> and <code>fn IndexedRandom::choose_multiple_weighted</code> to return fewer than <code>amount</code> results (<a href="https://redirect.github.com/rust-random/rand/issues/1623">#1623</a>), reverting an undocumented change (<a href="https://redirect.github.com/rust-random/rand/issues/1382">#1382</a>) to the previous release.</li> </ul> <h3>Additions</h3> <ul> <li>Add <code>rand::distr::Alphabetic</code> distribution. (<a href="https://redirect.github.com/rust-random/rand/issues/1587">#1587</a>)</li> <li>Re-export <code>rand_core</code> (<a href="https://redirect.github.com/rust-random/rand/issues/1604">#1604</a>)</li> </ul> <h2>[0.9.0] - 2025-01-27</h2> <h3>Security and unsafe</h3> <ul> <li>Policy: "rand is not a crypto library" (<a href="https://redirect.github.com/rust-random/rand/issues/1514">#1514</a>)</li> <li>Remove fork-protection from <code>ReseedingRng</code> and <code>ThreadRng</code>. Instead, it is recommended to call <code>ThreadRng::reseed</code> on fork. (<a href="https://redirect.github.com/rust-random/rand/issues/1379">#1379</a>)</li> <li>Use <code>zerocopy</code> to replace some <code>unsafe</code> code (<a href="https://redirect.github.com/rust-random/rand/issues/1349">#1349</a>, <a href="https://redirect.github.com/rust-random/rand/issues/1393">#1393</a>, <a href="https://redirect.github.com/rust-random/rand/issues/1446">#1446</a>, <a href="https://redirect.github.com/rust-random/rand/issues/1502">#1502</a>)</li> </ul> <h3>Dependencies</h3> <ul> <li>Bump the MSRV to 1.63.0 (<a href="https://redirect.github.com/rust-random/rand/issues/1207">#1207</a>, <a href="https://redirect.github.com/rust-random/rand/issues/1246">#1246</a>, <a href="https://redirect.github.com/rust-random/rand/issues/1269">#1269</a>, <a href="https://redirect.github.com/rust-random/rand/issues/1341">#1341</a>, <a href="https://redirect.github.com/rust-random/rand/issues/1416">#1416</a>, <a href="https://redirect.github.com/rust-random/rand/issues/1536">#1536</a>); note that 1.60.0 may work for dependents when using <code>--ignore-rust-version</code></li> <li>Update to <code>rand_core</code> v0.9.0 (<a href="https://redirect.github.com/rust-random/rand/issues/1558">#1558</a>)</li> </ul> <h3>Features</h3> <ul> <li>Support <code>std</code> feature without <code>getrandom</code> or <code>rand_chacha</code> (<a href="https://redirect.github.com/rust-random/rand/issues/1354">#1354</a>)</li> <li>Enable feature <code>small_rng</code> by default (<a href="https://redirect.github.com/rust-random/rand/issues/1455">#1455</a>)</li> <li>Remove implicit feature <code>rand_chacha</code>; use <code>std_rng</code> instead. (<a href="https://redirect.github.com/rust-random/rand/issues/1473">#1473</a>)</li> <li>Rename feature <code>serde1</code> to <code>serde</code> (<a href="https://redirect.github.com/rust-random/rand/issues/1477">#1477</a>)</li> <li>Rename feature <code>getrandom</code> to <code>os_rng</code> (<a href="https://redirect.github.com/rust-random/rand/issues/1537">#1537</a>)</li> <li>Add feature <code>thread_rng</code> (<a href="https://redirect.github.com/rust-random/rand/issues/1547">#1547</a>)</li> </ul> <h3>API changes: rand_core traits</h3>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/rust-random/rand/commit/1aeee9f4c506f9f737c6c37c169ccdc365bfbabf"><code>1aeee9f</code></a> Prepare v0.9.3: deprecate feature <code>log</code> (<a href="https://redirect.github.com/rust-random/rand/issues/1764">#1764</a>)</li> <li><a href="https://github.com/rust-random/rand/commit/98473ee6f9b44eb85154b59b67adade7f2a9b8a1"><code>98473ee</code></a> Prepare rand 0.9.2 (<a href="https://redirect.github.com/rust-random/rand/issues/1648">#1648</a>)</li> <li><a href="https://github.com/rust-random/rand/commit/031a1f5589e487ce95972cb3acc0833ef64cfc10"><code>031a1f5</code></a> <code>examples/print-next.rs</code> (<a href="https://redirect.github.com/rust-random/rand/issues/1647">#1647</a>)</li> <li><a href="https://github.com/rust-random/rand/commit/6cb75ee59eda73967b6a3cae4fdcf2c21f6e0e4e"><code>6cb75ee</code></a> Make UniformUsize serializable (<a href="https://redirect.github.com/rust-random/rand/issues/1646">#1646</a>)</li> <li><a href="https://github.com/rust-random/rand/commit/0c955c5b7a079bc2fe67fe946a8deb46c4bc58d8"><code>0c955c5</code></a> Add some tests for BlockRng, BlockRng64 and Xoshiro RNGs (<a href="https://redirect.github.com/rust-random/rand/issues/1639">#1639</a>)</li> <li><a href="https://github.com/rust-random/rand/commit/204084a35fc7289e9a38575fdd80869818484517"><code>204084a</code></a> Fix: Remove accidental editor swap file (<a href="https://redirect.github.com/rust-random/rand/issues/1636">#1636</a>)</li> <li><a href="https://github.com/rust-random/rand/commit/86262ac190ec20a79293607fb2347dc74c99122e"><code>86262ac</code></a> Deprecate rand::rngs::mock module and StepRng (<a href="https://redirect.github.com/rust-random/rand/issues/1634">#1634</a>)</li> <li><a href="https://github.com/rust-random/rand/commit/a6e217f4a3ce78223a59cc1ff9afb2b5e589d785"><code>a6e217f</code></a> Update statrs link (<a href="https://redirect.github.com/rust-random/rand/issues/1630">#1630</a>)</li> <li><a href="https://github.com/rust-random/rand/commit/db993ec12676119251eaf9f2cba8389a1b07abef"><code>db993ec</code></a> Prepare rand v0.9.1 (<a href="https://redirect.github.com/rust-random/rand/issues/1629">#1629</a>)</li> <li><a href="https://github.com/rust-random/rand/commit/3057641020408f64a4618b1c582cad45a9304811"><code>3057641</code></a> Remove zerocopy from rand (<a href="https://redirect.github.com/rust-random/rand/issues/1579">#1579</a>)</li> <li>Additional commits viewable in <a href="https://github.com/rust-random/rand/compare/0.8.5...0.9.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=rand&package-manager=cargo&previous-version=0.8.5&new-version=0.9.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/navicore/anz/network/alerts). </details>

claude[bot] commented

2026-04-15 19:47:46 +00:00

(Migrated from github.com)

Code Review: Bump rand 0.8.5 → 0.9.3

Overview

This Dependabot PR upgrades rand from 0.8.5 to 0.9.3 (a minor semver bump that includes the breaking 0.9.0 release). The changes are mostly mechanical API updates required by rand's renamed functions, plus one notable workaround for a transitive dependency conflict.

What's Done Well

Correct API migration: All four call sites correctly replace rand::thread_rng().fill_bytes(&mut bytes) with rand::rng().fill_bytes(&mut bytes), which is the proper rand 0.9 equivalent.
Cryptographic usage is sound: All token generation functions continue to use fill_bytes on a CSPRNG, which is appropriate for security-sensitive tokens (CSRF, auth, client secrets).
Honest comment in keys.rs: The inline comment clearly explains why a workaround is needed, making this maintainable.

Issues & Concerns

1. Fork-Protection Removed in rand 0.9 (Security — Low Risk, Worth Knowing)

rand 0.9.0 removed fork-protection from ThreadRng:

"Remove fork-protection from ReseedingRng and ThreadRng. Instead, it is recommended to call ThreadRng::reseed on fork."

If this server ever forks processes (e.g., via a multiprocess deployment model), child processes could share RNG state with the parent, weakening token randomness. For a typical single-process async server this is a non-issue, but it's worth being aware of.

Recommendation: Confirm the deployment model is single-process. If not, add ThreadRng::reseed calls after fork.

2. Dual rand Versions in the Lock File (Maintenance)

The lock file now carries both rand 0.8.5 and rand 0.9.3 because jsonwebtoken and rsa still depend on rand 0.8. This doubles the rand/rand_chacha/rand_core/getrandom subtrees and slightly inflates compile times and binary size.

Recommendation: Check whether jsonwebtoken or rsa have newer releases that depend on rand 0.9. If not, this is unavoidable for now — but worth a follow-up issue.

3. The password_hash::rand_core::OsRng Workaround in keys.rs (Fragility)

The solution to the ed25519-dalek 2.x / rand_core 0.6 vs rand_core 0.9 mismatch is clever but indirect — it borrows OsRng via password_hash's re-export of rand_core 0.6:

use password_hash::rand_core::OsRng;

This works today, but it's an implicit dependency on password_hash's internal re-export, which could silently break if password_hash upgrades its own rand_core dependency.

Recommendation: Make the dependency explicit by adding rand_core = "0.6" directly to Cargo.toml:

rand_core = "0.6"   # explicit compat shim for ed25519-dalek 2.x

// keys.rs
use rand_core::OsRng;

This makes the intent clear to future maintainers and avoids hidden coupling. The longer-term fix would be upgrading ed25519-dalek to a version that supports rand_core 0.9.

Summary

Area	Status
API migration correctness	Correct
Cryptographic soundness	Sound
Fork-protection regression	Noted — verify deployment model
Dual rand versions	Acceptable now, worth a follow-up
`password_hash` workaround	Works, but suggest explicit `rand_core = "0.6"` dep
Test coverage	No new tests needed (mechanical API rename)

This is a well-handled upgrade overall. The main actionable suggestion is to make the rand_core 0.6 dependency explicit in Cargo.toml rather than borrowing it through password_hash.

## Code Review: Bump rand 0.8.5 → 0.9.3 ### Overview This Dependabot PR upgrades `rand` from 0.8.5 to 0.9.3 (a minor semver bump that includes the breaking 0.9.0 release). The changes are mostly mechanical API updates required by rand's renamed functions, plus one notable workaround for a transitive dependency conflict. --- ### What's Done Well - **Correct API migration**: All four call sites correctly replace `rand::thread_rng().fill_bytes(&mut bytes)` with `rand::rng().fill_bytes(&mut bytes)`, which is the proper rand 0.9 equivalent. - **Cryptographic usage is sound**: All token generation functions continue to use `fill_bytes` on a CSPRNG, which is appropriate for security-sensitive tokens (CSRF, auth, client secrets). - **Honest comment in `keys.rs`**: The inline comment clearly explains *why* a workaround is needed, making this maintainable. --- ### Issues & Concerns **1. Fork-Protection Removed in rand 0.9 (Security — Low Risk, Worth Knowing)** rand 0.9.0 removed fork-protection from `ThreadRng`: > *"Remove fork-protection from `ReseedingRng` and `ThreadRng`. Instead, it is recommended to call `ThreadRng::reseed` on fork."* If this server ever forks processes (e.g., via a multiprocess deployment model), child processes could share RNG state with the parent, weakening token randomness. For a typical single-process async server this is a non-issue, but it's worth being aware of. **Recommendation**: Confirm the deployment model is single-process. If not, add `ThreadRng::reseed` calls after `fork`. --- **2. Dual `rand` Versions in the Lock File (Maintenance)** The lock file now carries **both** `rand 0.8.5` and `rand 0.9.3` because `jsonwebtoken` and `rsa` still depend on rand 0.8. This doubles the rand/rand_chacha/rand_core/getrandom subtrees and slightly inflates compile times and binary size. **Recommendation**: Check whether `jsonwebtoken` or `rsa` have newer releases that depend on rand 0.9. If not, this is unavoidable for now — but worth a follow-up issue. --- **3. The `password_hash::rand_core::OsRng` Workaround in `keys.rs` (Fragility)** The solution to the `ed25519-dalek 2.x` / `rand_core 0.6` vs `rand_core 0.9` mismatch is clever but indirect — it borrows `OsRng` via `password_hash`'s re-export of `rand_core 0.6`: ```rust use password_hash::rand_core::OsRng; ``` This works today, but it's an implicit dependency on `password_hash`'s internal re-export, which could silently break if `password_hash` upgrades its own `rand_core` dependency. **Recommendation**: Make the dependency explicit by adding `rand_core = "0.6"` directly to `Cargo.toml`: ```toml rand_core = "0.6" # explicit compat shim for ed25519-dalek 2.x ``` ```rust // keys.rs use rand_core::OsRng; ``` This makes the intent clear to future maintainers and avoids hidden coupling. The longer-term fix would be upgrading `ed25519-dalek` to a version that supports `rand_core 0.9`. --- ### Summary | Area | Status | |---|---| | API migration correctness | Correct | | Cryptographic soundness | Sound | | Fork-protection regression | Noted — verify deployment model | | Dual rand versions | Acceptable now, worth a follow-up | | `password_hash` workaround | Works, but suggest explicit `rand_core = "0.6"` dep | | Test coverage | No new tests needed (mechanical API rename) | This is a well-handled upgrade overall. The main actionable suggestion is to make the `rand_core 0.6` dependency explicit in `Cargo.toml` rather than borrowing it through `password_hash`.