chore(deps): update rust crate rand to v0.9.3 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
rand (source)	dependencies	patch	0.9.0 → 0.9.3
rand (source)	dev-dependencies	patch	0.9.0 → 0.9.3

GitHub Vulnerability Alerts

GHSA-cq8v-f236-94qc

It has been reported (by @​lopopolo) that the rand library is unsound (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:

• The log and thread_rng features are enabled
• A custom logger is defined
• The custom logger accesses rand::rng() (previously rand::thread_rng()) and calls any TryRng (previously RngCore) methods on ThreadRng
• The ThreadRng (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
• Trace-level logging is enabled or warn-level logging is enabled and the random source (the getrandom crate) is unable to provide a new seed

TryRng (previously RngCore) methods for ThreadRng use unsafe code to cast *mut BlockRng<ReseedingCore> to &mut BlockRng<ReseedingCore>. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of aliased mutable references is Undefined Behaviour, the behaviour of optimized builds is hard to predict.

Affected versions of rand are >= 0.7, < 0.9.3 and 0.10.0.

---

Release Notes

rust-random/rand (rand)

v0.9.3

Compare Source

v0.9.2

Compare Source

Deprecated

• Deprecate rand::rngs::mock module and StepRng generator (#​1634)

Additions

• Enable WeightedIndex<usize> (de)serialization (#​1646)

v0.9.1

Compare Source

Security and unsafe

• Revise "not a crypto library" policy again (#​1565)
• Remove zerocopy dependency from rand (#​1579)

Fixes

• Fix feature simd_support for recent nightly rust (#​1586)

Changes

• Allow fn rand::seq::index::sample_weighted and fn IndexedRandom::choose_multiple_weighted to return fewer than amount results (#​1623), reverting an undocumented change (#​1382) to the previous release.

Additions

• Add rand::distr::Alphabetic distribution. (#​1587)
• Re-export rand_core (#​1604)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Package Changes Through 93ad8bb

No changes.

Add a change file through the GitHub UI by following this link.

---

Read about change files or the docs at github.com/jbolda/covector