Skip to content

docs: [#444] mark RUSTSEC-2026-0097 resolved — rand 0.9.3 already in use#451

Open
josecelano wants to merge 1 commit intomainfrom
444-rand-0.9.2-rustsec
Open

docs: [#444] mark RUSTSEC-2026-0097 resolved — rand 0.9.3 already in use#451
josecelano wants to merge 1 commit intomainfrom
444-rand-0.9.2-rustsec

Conversation

@josecelano
Copy link
Copy Markdown
Member

@josecelano josecelano commented Apr 14, 2026

Summary

Issue #444 was opened automatically by the cargo-audit CI workflow reporting rand 0.9.2 as affected by RUSTSEC-2026-0097.

Investigation confirms the issue is already resolved: Cargo.toml declares rand = "0.9" which resolves to rand 0.9.3 (the patched release) in Cargo.lock. The advisory has zero findings for rand 0.9.x in cargo audit output.

Validation

cargo tree -p rand@0.9.3

rand v0.9.3
├── rand_chacha v0.9.0
│   ├── ppv-lite86 v0.2.21
│   │   └── zerocopy v0.8.48
│   └── rand_core v0.9.5
│       └── getrandom v0.3.4
├── ...
└── rand_core v0.9.5 (*)

cargo audit

warning: 1 allowed warning found

(Only rand 0.8.5 via tera is flagged — tracked separately in #443.)

Changes

  • docs/issues/444-rand-0.9.2-rustsec.md: updated spec with investigation results and outcome

Closes #444

@josecelano josecelano force-pushed the 444-rand-0.9.2-rustsec branch from fdb26b9 to 71a3d7a Compare April 14, 2026 09:27
@josecelano josecelano self-assigned this Apr 14, 2026
@josecelano
Copy link
Copy Markdown
Member Author

josecelano commented Apr 14, 2026

ACK 71a3d7a

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@josecelano josecelano

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

RUSTSEC-2026-0097: Rand is unsound with a custom logger using rand::rng()

1 participant

@josecelano