Skip to content

Bump rand from 0.9.4 to 0.10.1#508

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/rand-0.10.1
Open

Bump rand from 0.9.4 to 0.10.1#508
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/rand-0.10.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor

Bumps rand from 0.9.4 to 0.10.1.

Changelog

Sourced from rand's changelog.

[0.10.1] — 2026-02-11

This release includes a fix for a soundness bug; see #1763.

Changes

  • Document panic behavior of make_rng and add #[track_caller] (#1761)
  • Deprecate feature log (#1763)

#1761: rust-random/rand#1761 #1763: rust-random/rand#1763

[0.10.0] - 2026-02-08

Changes

  • The dependency on rand_chacha has been replaced with a dependency on chacha20. This changes the implementation behind StdRng, but the output remains the same. There may be some API breakage when using the ChaCha-types directly as these are now the ones in chacha20 instead of rand_chacha (#1642).
  • Rename fns IndexedRandom::choose_multiple -> sample, choose_multiple_array -> sample_array, choose_multiple_weighted -> sample_weighted, struct SliceChooseIter -> IndexedSamples and fns IteratorRandom::choose_multiple -> sample, choose_multiple_fill -> sample_fill (#1632)
  • Use Edition 2024 and MSRV 1.85 (#1653)
  • Let Fill be implemented for element types, not sliceable types (#1652)
  • Fix OsError::raw_os_error on UEFI targets by returning Option<usize> (#1665)
  • Replace fn TryRngCore::read_adapter(..) -> RngReadAdapter with simpler struct RngReader (#1669)
  • Remove fns SeedableRng::from_os_rng, try_from_os_rng (#1674)
  • Remove Clone support for StdRng, ReseedingRng (#1677)
  • Use postcard instead of bincode to test the serde feature (#1693)
  • Avoid excessive allocation in IteratorRandom::sample when amount is much larger than iterator size (#1695)
  • Rename os_rng -> sys_rng, OsRng -> SysRng, OsError -> SysError (#1697)
  • Rename Rng -> RngExt as upstream rand_core has renamed RngCore -> Rng (#1717)

Additions

  • Add fns IndexedRandom::choose_iter, choose_weighted_iter (#1632)
  • Pub export Xoshiro128PlusPlus, Xoshiro256PlusPlus prngs (#1649)
  • Pub export ChaCha8Rng, ChaCha12Rng, ChaCha20Rng behind chacha feature (#1659)
  • Fn rand::make_rng() -> R where R: SeedableRng (#1734)

Removals

  • Removed ReseedingRng (#1722)
  • Removed unused feature "nightly" (#1732)
  • Removed feature small_rng (#1732)

#1632: rust-random/rand#1632 #1642: rust-random/rand#1642 #1649: rust-random/rand#1649 #1652: rust-random/rand#1652 #1653: rust-random/rand#1653 #1659: rust-random/rand#1659 #1665: rust-random/rand#1665 #1669: rust-random/rand#1669 #1674: rust-random/rand#1674 #1677: rust-random/rand#1677 #1693: rust-random/rand#1693 #1695: rust-random/rand#1695 #1697: rust-random/rand#1697

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note

Medium Risk
Major rand upgrade can break the optional fuzz path and any RNG APIs at compile time; RNG changes can affect fuzz reproducibility if that code is exercised.

Overview
Upgrades rand from 0.9.4 to 0.10.1 in Cargo.toml for both the optional fuzz dependency and dev-dependencies, with Cargo.lock refreshed for the new graph (chacha20, getrandom 0.4.3, rand_core 0.10.1, r-efi, etc.).

This is a major rand release (trait renames, sampling API renames, OsRngSysRng, removed APIs, MSRV/edition bumps upstream). rand_chacha stays at 0.9.0 while rand 0.10 no longer depends on it internally—worth confirming fuzz builds and any RNG usage still compile and behave as expected.

Reviewed by Cursor Bugbot for commit b2560aa. Bugbot is set up for automated code reviews on this repo. Configure here.

Bumps [rand](https://github.com/rust-random/rand) from 0.9.4 to 0.10.1.
- [Release notes](https://github.com/rust-random/rand/releases)
- [Changelog](https://github.com/rust-random/rand/blob/master/CHANGELOG.md)
- [Commits](rust-random/rand@0.9.4...0.10.1)

---
updated-dependencies:
- dependency-name: rand
  dependency-version: 0.10.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file rust Pull requests that update Rust code labels Jun 23, 2026
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedcargo/​rand@​0.9.4 ⏵ 0.10.110010093100100

View full report

@dependabot @github

dependabot Bot commented on behalf of github Jun 26, 2026

Copy link
Copy Markdown
Contributor Author

Dependabot can't resolve your Rust dependency files. Because of this, Dependabot cannot update this pull request.

3 similar comments
@dependabot @github

dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Dependabot can't resolve your Rust dependency files. Because of this, Dependabot cannot update this pull request.

@dependabot @github

dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Dependabot can't resolve your Rust dependency files. Because of this, Dependabot cannot update this pull request.

@dependabot @github

dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Dependabot can't resolve your Rust dependency files. Because of this, Dependabot cannot update this pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file rust Pull requests that update Rust code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants