chore(deps): bump tar to 0.4.46 and rand to 0.9.3 to clear advisories

[beardthelion]

Two lockfile-only security bumps, no manifest or source changes.

• tar 0.4.45 -> 0.4.46 clears the PAX header desynchronization issue (GHSA-3pv8-6f4r-ffg2, medium). We use tar in crates/gitlawb-node/src/git/tigris.rs for archive read/write, which is the affected read path; the fix is behavior-preserving.
• rand 0.9.2 -> 0.9.3 clears the rand::rng() custom-logger unsoundness (GHSA-cq8v-f236-94qc, low). Our own code only uses OsRng/RngCore, never rand::rng(), so this is hygiene for transitive users rather than a path we were exposed on. rand 0.8.6 stays, it is outside the vulnerable range.

These bumps carry no Cargo.toml version-requirement changes. The cargo update did move four packages onto older windows-sys selections already present in the tree, a normal resolver side-effect with no Windows target in our build:

• colored: windows-sys 0.61.2 -> 0.48.0
• errno: windows-sys 0.61.2 -> 0.52.0
• rustix: windows-sys 0.61.2 -> 0.52.0
• tempfile: windows-sys 0.61.2 -> 0.52.0

Left alone, with reason:

• lru 0.12.5 (GHSA-rhfx-m35p-ff5j, low) is pinned by aws-sdk-s3 (lru ^0.12.2) and cannot move to the 0.16.3 fix until aws-sdk-s3 bumps it.
• The two hickory-proto advisories remain accepted risk per .cargo/audit.toml, tracked in Drop hickory advisory ignores once libp2p-dns ships hickory 0.26 #76 (waiting on libp2p-dns to ship hickory 0.26).

Verification: cargo build -p gitlawb-node, cargo test -p gitlawb-node (220 passed), and cargo audit all pass; the tar and rand advisories no longer appear.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bb86eb09-4bf8-4ad3-86eb-502d33a54894

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/bump-tar-rand-advisories

---

_{Comment @coderabbitai help to get the list of available commands.}

[jatmn]

This PR bumps tar and rand to patched versions that clear two advisories. I found one minor scope/accuracy issue to address before merge.

Findings

• [P3] Document the transitive windows-sys lockfile changes
  Cargo.lock
  The PR description calls this a "precise lockfile bump" for tar and rand, but the diff also changes selected windows-sys versions: dynarray now resolves to windows-sys 0.48.0 (was 0.61.2), and getrandom, rustix, and tempfile now resolve to windows-sys 0.52.0 (was 0.61.2). These are normal resolver side-effects of a cargo update, but they are not mentioned in the PR body or commit message. Please update the description to list the full lockfile delta so reviewers do not mistake the windows-sys version changes for an unintended change.

[beardthelion]

Good catch, updated the description with the full lockfile delta. Walking the diff, the windows-sys movers are colored 0.61.2 -> 0.48.0, plus errno, rustix, and tempfile 0.61.2 -> 0.52.0. All four are resolver side-effects with no Windows target in our build.

[jatmn]

No actionable findings.

@kevincodex1 LGTM