Resolve RUSTSEC-2026-0097 ThreadRng unsoundness in rand (#274)#284
Resolve RUSTSEC-2026-0097 ThreadRng unsoundness in rand (#274)#284MavenRain wants to merge 2 commits intoinference-labs-inc:mainfrom
Conversation
…abs-inc#274) Bump `rand` to 0.8.6 in the workspace and bump the transitive `rand 0.10.0` (pulled in via quickcheck 1.1.0) to 0.10.1 across the root, jstprove_pyo3, and jstprove_zkvm lockfiles. Advisory fix is patch-level so no API surface changes.
|
Important Review skippedReview was skipped due to path filters ⛔ Files ignored due to path filters (1)
CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
WalkthroughUpdated the workspace dependency Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~1 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@Cargo.toml`:
- Line 105: The root Cargo.lock still pins vulnerable rand 0.10.0 (and older
0.8.5) even though the workspace Cargo.toml now uses rand = "0.8.6"; regenerate
the root lockfile from the workspace root by running cargo update -p rand (or
cargo update -p rand --workspace) or performing a cargo build so Cargo.lock is
updated, then verify Cargo.lock no longer contains rand 0.10.0 and shows the
expected rand 0.8.6 (or the safe resolved version present in member lockfiles).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: ecdde096-5ff6-4537-8e9e-9f004cd566e2
⛔ Files ignored due to path filters (2)
rust/jstprove_pyo3/Cargo.lockis excluded by!**/*.lockrust/jstprove_zkvm/Cargo.lockis excluded by!**/*.lock
📒 Files selected for processing (1)
Cargo.toml
Workspace Cargo.toml and the two member lockfiles already pinned the RUSTSEC-2026-0097 fix (rand 0.8.6 / 0.10.1), but the root lockfile was not regenerated alongside them, so it still contained the vulnerable rand 0.10.0 (transitive via quickcheck 1.1.0) and stale rand 0.8.5. Run `cargo update -p rand@0.10.0 --precise 0.10.1` from the workspace root to align the root lockfile with the rest of the PR.
1 participant
Description
Bump
randto 0.8.6 in the workspace and bump the transitiverand 0.10.0(pulled in via quickcheck 1.1.0) to 0.10.1 across the root, jstprove_pyo3, and jstprove_zkvm lockfiles. Advisory fix is patch-level so no API surface changes.Related Issue
Type of Change
Checklist
Deployment Notes
N/A
Additional Comments
N/A
Summary by CodeRabbit