chore(deps): update rust crate rand to v0.8.6 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
rand (source)	dependencies	patch	0.8.5 → 0.8.6

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Rand is unsound with a custom logger using rand::rng()

GHSA-cq8v-f236-94qc

More information

Details

It has been reported (by @​lopopolo) that the rand library is unsound (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:

• The log and thread_rng features are enabled
• A custom logger is defined
• The custom logger accesses rand::rng() (previously rand::thread_rng()) and calls any TryRng (previously RngCore) methods on ThreadRng
• The ThreadRng (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
• Trace-level logging is enabled or warn-level logging is enabled and the random source (the getrandom crate) is unable to provide a new seed

TryRng (previously RngCore) methods for ThreadRng use unsafe code to cast *mut BlockRng<ReseedingCore> to &mut BlockRng<ReseedingCore>. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of aliased mutable references is Undefined Behaviour, the behaviour of optimized builds is hard to predict.

Severity

Low

References

• https://github.com/rust-random/rand/pull/1763
• https://rustsec.org/advisories/RUSTSEC-2026-0097.html
• https://github.com/advisories/GHSA-cq8v-f236-94qc

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

rust-random/rand (rand)

v0.8.6

Compare Source

What's Changed

This release back-ports a fix from v0.10. See also #​1763.

Changes

• Deprecate feature log (#​1772)

• Drop the experimental simd_support feature.

New Contributors

• @​nwalfield made their first contribution in #​1772

Full Changelog: rust-random/rand@0.8.5...0.8.6

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.08%. Comparing base (d5b42e4) to head (e8d1c2d).

Additional details and impacted files

@@           Coverage Diff            @@
##             main    #3522    +/-   ##
========================================
  Coverage   86.07%   86.08%            
========================================
  Files         265      270     +5     
  Lines       25943    26223   +280     
========================================
+ Hits        22331    22574   +243     
- Misses       3612     3649    +37     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.