Skip to content

Fix GHSA-cq8v-f236-94qc: Update rand to 0.9.3#4

Merged
Josh-XT merged 1 commit intomainfrom
fix/security-vulnerabilities
Apr 19, 2026
Merged

Fix GHSA-cq8v-f236-94qc: Update rand to 0.9.3#4
Josh-XT merged 1 commit intomainfrom
fix/security-vulnerabilities

Conversation

@Josh-XT
Copy link
Copy Markdown
Owner

@Josh-XT Josh-XT commented Apr 19, 2026

Summary

This PR fixes a low-severity security vulnerability in the rand dependency.

Vulnerability Details

  • GHSA ID: GHSA-cq8v-f236-94qc
  • Severity: Low
  • Issue: Rand is unsound with a custom logger using rand::rng()
  • Affected Range: >= 0.7.0, < 0.9.3
  • Fixed Version: 0.9.3

Changes

  • Updated rand from version 0.8 to 0.9.3 in Cargo.toml
  • Added vulnerabilities.md documenting the resolved issue

Testing

The update is a minor version bump that maintains API compatibility. The change addresses a soundness issue that can cause undefined behavior when:

  1. The log and thread_rng features are enabled
  2. A custom logger is defined
  3. The custom logger accesses rand::rng()

References

Fix GHSA-cq8v-f236-94qc: Update rand from 0.8 to 0.9.3
1e967b3 
Update the rand crate to version 0.9.3 to fix a soundness issue that occurs when:
- The log and thread_rng features are enabled
- A custom logger is defined that accesses rand::rng()

The vulnerability is tracked as RUSTSEC-2026-0097.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Josh-XT Josh-XT merged commit ac6cfe8 into main Apr 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Josh-XT