Update Rust crate rand to 0.10.0 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
rand (source)	dev-dependencies	minor	0.9.0 → 0.10.0
rand (source)	dependencies	minor	0.9.0 → 0.10.0

---

Rand is unsound with a custom logger using rand::rng()

GHSA-cq8v-f236-94qc

More information

Details

It has been reported (by @​lopopolo) that the rand library is unsound (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:

• The log and thread_rng features are enabled
• A custom logger is defined
• The custom logger accesses rand::rng() (previously rand::thread_rng()) and calls any TryRng (previously RngCore) methods on ThreadRng
• The ThreadRng (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
• Trace-level logging is enabled or warn-level logging is enabled and the random source (the getrandom crate) is unable to provide a new seed

TryRng (previously RngCore) methods for ThreadRng use unsafe code to cast *mut BlockRng<ReseedingCore> to &mut BlockRng<ReseedingCore>. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of aliased mutable references is Undefined Behaviour, the behaviour of optimized builds is hard to predict.

Affected versions of rand are >= 0.7, < 0.9.3 and 0.10.0.

Severity

Low

References

• https://github.com/rust-random/rand/pull/1763
• https://rustsec.org/advisories/RUSTSEC-2026-0097.html
• https://github.com/advisories/GHSA-cq8v-f236-94qc

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

rust-random/rand (rand)

v0.10.0

Compare Source

Changes

• The dependency on rand_chacha has been replaced with a dependency on chacha20. This changes the implementation behind StdRng, but the output remains the same. There may be some API breakage when using the ChaCha-types directly as these are now the ones in chacha20 instead of rand_chacha (#​1642).
• Rename fns IndexedRandom::choose_multiple -> sample, choose_multiple_array -> sample_array, choose_multiple_weighted -> sample_weighted, struct SliceChooseIter -> IndexedSamples and fns IteratorRandom::choose_multiple -> sample, choose_multiple_fill -> sample_fill (#​1632)
• Use Edition 2024 and MSRV 1.85 (#​1653)
• Let Fill be implemented for element types, not sliceable types (#​1652)
• Fix OsError::raw_os_error on UEFI targets by returning Option<usize> (#​1665)
• Replace fn TryRngCore::read_adapter(..) -> RngReadAdapter with simpler struct RngReader (#​1669)
• Remove fns SeedableRng::from_os_rng, try_from_os_rng (#​1674)
• Remove Clone support for StdRng, ReseedingRng (#​1677)
• Use postcard instead of bincode to test the serde feature (#​1693)
• Avoid excessive allocation in IteratorRandom::sample when amount is much larger than iterator size (#​1695)
• Rename os_rng -> sys_rng, OsRng -> SysRng, OsError -> SysError (#​1697)
• Rename Rng -> RngExt as upstream rand_core has renamed RngCore -> Rng (#​1717)

Additions

• Add fns IndexedRandom::choose_iter, choose_weighted_iter (#​1632)
• Pub export Xoshiro128PlusPlus, Xoshiro256PlusPlus prngs (#​1649)
• Pub export ChaCha8Rng, ChaCha12Rng, ChaCha20Rng behind chacha feature (#​1659)
• Fn rand::make_rng() -> R where R: SeedableRng (#​1734)

Removals

• Removed ReseedingRng (#​1722)
• Removed unused feature "nightly" (#​1732)
• Removed feature small_rng (#​1732)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

---

This change is 

[renovate]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --workspace
    Updating crates.io index
error: failed to select a version for `rand`.
    ... required by package `nativelink-store v1.0.0 (/tmp/renovate/repos/github/TraceMachina/nativelink/nativelink-store)`
    ... which satisfies path dependency `nativelink-store` (locked to 1.0.0) of package `nativelink v1.0.0 (/tmp/renovate/repos/github/TraceMachina/nativelink)`
versions that meet the requirements `^0.10.0` are: 0.10.1, 0.10.0

package `nativelink-store` depends on `rand` with feature `small_rng` but `rand` does not have that feature.
 available features: alloc, chacha, default, log, serde, simd_support, std, std_rng, sys_rng, thread_rng, unbiased


all possible versions conflict with previously selected packages.

  previously selected package `rand v0.10.0`
    ... which satisfies dependency `rand = "^0.10.0"` of package `nativelink v1.0.0 (/tmp/renovate/repos/github/TraceMachina/nativelink)`

failed to select a version for `rand` which could resolve this conflict

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path nativelink-config/Cargo.toml --workspace
    Updating crates.io index
error: failed to select a version for `rand`.
    ... required by package `nativelink-store v1.0.0 (/tmp/renovate/repos/github/TraceMachina/nativelink/nativelink-store)`
    ... which satisfies path dependency `nativelink-store` (locked to 1.0.0) of package `nativelink v1.0.0 (/tmp/renovate/repos/github/TraceMachina/nativelink)`
versions that meet the requirements `^0.10.0` are: 0.10.1, 0.10.0

package `nativelink-store` depends on `rand` with feature `small_rng` but `rand` does not have that feature.
 available features: alloc, chacha, default, log, serde, simd_support, std, std_rng, sys_rng, thread_rng, unbiased


all possible versions conflict with previously selected packages.

  previously selected package `rand v0.10.0`
    ... which satisfies dependency `rand = "^0.10.0"` of package `nativelink v1.0.0 (/tmp/renovate/repos/github/TraceMachina/nativelink)`

failed to select a version for `rand` which could resolve this conflict

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path nativelink-service/Cargo.toml --workspace
    Updating crates.io index
error: failed to select a version for `rand`.
    ... required by package `nativelink-store v1.0.0 (/tmp/renovate/repos/github/TraceMachina/nativelink/nativelink-store)`
    ... which satisfies path dependency `nativelink-store` (locked to 1.0.0) of package `nativelink v1.0.0 (/tmp/renovate/repos/github/TraceMachina/nativelink)`
versions that meet the requirements `^0.10.0` are: 0.10.1, 0.10.0

package `nativelink-store` depends on `rand` with feature `small_rng` but `rand` does not have that feature.
 available features: alloc, chacha, default, log, serde, simd_support, std, std_rng, sys_rng, thread_rng, unbiased


all possible versions conflict with previously selected packages.

  previously selected package `rand v0.10.0`
    ... which satisfies dependency `rand = "^0.10.0"` of package `nativelink v1.0.0 (/tmp/renovate/repos/github/TraceMachina/nativelink)`

failed to select a version for `rand` which could resolve this conflict

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path nativelink-store/Cargo.toml --workspace
    Updating crates.io index
error: failed to select a version for `rand`.
    ... required by package `nativelink-store v1.0.0 (/tmp/renovate/repos/github/TraceMachina/nativelink/nativelink-store)`
    ... which satisfies path dependency `nativelink-store` (locked to 1.0.0) of package `nativelink v1.0.0 (/tmp/renovate/repos/github/TraceMachina/nativelink)`
versions that meet the requirements `^0.10.0` are: 0.10.1, 0.10.0

package `nativelink-store` depends on `rand` with feature `small_rng` but `rand` does not have that feature.
 available features: alloc, chacha, default, log, serde, simd_support, std, std_rng, sys_rng, thread_rng, unbiased


all possible versions conflict with previously selected packages.

  previously selected package `rand v0.10.0`
    ... which satisfies dependency `rand = "^0.10.0"` of package `nativelink v1.0.0 (/tmp/renovate/repos/github/TraceMachina/nativelink)`

failed to select a version for `rand` which could resolve this conflict

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path nativelink-util/Cargo.toml --workspace
    Updating crates.io index
error: failed to select a version for `rand`.
    ... required by package `nativelink-store v1.0.0 (/tmp/renovate/repos/github/TraceMachina/nativelink/nativelink-store)`
    ... which satisfies path dependency `nativelink-store` (locked to 1.0.0) of package `nativelink v1.0.0 (/tmp/renovate/repos/github/TraceMachina/nativelink)`
versions that meet the requirements `^0.10.0` are: 0.10.1, 0.10.0

package `nativelink-store` depends on `rand` with feature `small_rng` but `rand` does not have that feature.
 available features: alloc, chacha, default, log, serde, simd_support, std, std_rng, sys_rng, thread_rng, unbiased


all possible versions conflict with previously selected packages.

  previously selected package `rand v0.10.0`
    ... which satisfies dependency `rand = "^0.10.0"` of package `nativelink v1.0.0 (/tmp/renovate/repos/github/TraceMachina/nativelink)`

failed to select a version for `rand` which could resolve this conflict

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path nativelink-worker/Cargo.toml --workspace
    Updating crates.io index
error: failed to select a version for `rand`.
    ... required by package `nativelink-store v1.0.0 (/tmp/renovate/repos/github/TraceMachina/nativelink/nativelink-store)`
    ... which satisfies path dependency `nativelink-store` (locked to 1.0.0) of package `nativelink v1.0.0 (/tmp/renovate/repos/github/TraceMachina/nativelink)`
versions that meet the requirements `^0.10.0` are: 0.10.1, 0.10.0

package `nativelink-store` depends on `rand` with feature `small_rng` but `rand` does not have that feature.
 available features: alloc, chacha, default, log, serde, simd_support, std, std_rng, sys_rng, thread_rng, unbiased


all possible versions conflict with previously selected packages.

  previously selected package `rand v0.10.0`
    ... which satisfies dependency `rand = "^0.10.0"` of package `nativelink v1.0.0 (/tmp/renovate/repos/github/TraceMachina/nativelink)`

failed to select a version for `rand` which could resolve this conflict