fix: update rand, ignore the RUSTSEC-2026-0097 for now by iamquang95 · Pull Request #320 · NethermindEth/pluto

iamquang95 · 2026-04-13T07:42:39Z

Ignore RUSTSEC-2026-0097 (rand unsoundness)

cargo deny check started failing on RUSTSEC-2026-0097, an unsoundness advisory in rand versions >= 0.7, < 0.9.3.

Changes

Bumped rand 0.9.2 → 0.9.3 via cargo update (fixes the one instance we can patch in-place).
Added RUSTSEC-2026-0097 to deny.toml ignore list with justification. Two transitive copies remain pinned upstream and cannot be bumped from here:
- rand 0.7.3 via cuckoofilter → libp2p-floodsub
- rand 0.8.5 via alloy-signer-local (latest release)

Why it's safe to ignore

Unsoundness only, no known exploit. No CVSS score; the advisory documents UB under Stacked Borrows, not a remote-exploitable vulnerability.
Trigger path is not reachable from Pluto. It requires all of: a custom log logger that calls rand::rng(), hitting the 64KB reseed boundary mid-log-call, at trace level (or warn + getrandom failure). Pluto
uses tracing and does not invoke rand from any logger.
Nothing actionable upstream-side yet. libp2p-floodsub and alloy-signer-local would need to release with rand >= 0.9.3 before we can drop the ignore.

Follow-up

Remove the ignore entry once cuckoofilter/libp2p-floodsub and alloy-signer-local upgrade past rand 0.9.3.

iamquang95 · 2026-04-14T01:22:05Z

Tracked issue here: #323

fix: update rand, ignore the RUSTSEC-2026-0097 for now

323a54e

iamquang95 requested review from emlautarom1 and varex83 April 13, 2026 07:42

varex83 approved these changes Apr 13, 2026

View reviewed changes

iamquang95 mentioned this pull request Apr 14, 2026

Remove RUSTSEC-2026-0097 from deny.yaml #323

Open

iamquang95 merged commit d29dd7f into main Apr 14, 2026
11 checks passed

iamquang95 deleted the up-deps branch April 14, 2026 01:22

Provide feedback