chore(deps): bump rand from 0.8.6 to 0.10.1 in the cargo group across 1 directory

[dependabot]

Bumps the cargo group with 1 update in the / directory: rand.

Updates rand from 0.8.6 to 0.10.1

Changelog

Sourced from rand's changelog.

[0.10.1] — 2026-02-11

This release includes a fix for a soundness bug; see #1763.

Changes

• Document panic behavior of make_rng and add #[track_caller] (#1761)
• Deprecate feature log (#1763)

#1761: rust-random/rand#1761 #1763: rust-random/rand#1763

[0.10.0] - 2026-02-08

Changes

• The dependency on rand_chacha has been replaced with a dependency on chacha20. This changes the implementation behind StdRng, but the output remains the same. There may be some API breakage when using the ChaCha-types directly as these are now the ones in chacha20 instead of rand_chacha (#1642).
• Rename fns IndexedRandom::choose_multiple -> sample, choose_multiple_array -> sample_array, choose_multiple_weighted -> sample_weighted, struct SliceChooseIter -> IndexedSamples and fns IteratorRandom::choose_multiple -> sample, choose_multiple_fill -> sample_fill (#1632)
• Use Edition 2024 and MSRV 1.85 (#1653)
• Let Fill be implemented for element types, not sliceable types (#1652)
• Fix OsError::raw_os_error on UEFI targets by returning Option<usize> (#1665)
• Replace fn TryRngCore::read_adapter(..) -> RngReadAdapter with simpler struct RngReader (#1669)
• Remove fns SeedableRng::from_os_rng, try_from_os_rng (#1674)
• Remove Clone support for StdRng, ReseedingRng (#1677)
• Use postcard instead of bincode to test the serde feature (#1693)
• Avoid excessive allocation in IteratorRandom::sample when amount is much larger than iterator size (#1695)
• Rename os_rng -> sys_rng, OsRng -> SysRng, OsError -> SysError (#1697)
• Rename Rng -> RngExt as upstream rand_core has renamed RngCore -> Rng (#1717)

Additions

• Add fns IndexedRandom::choose_iter, choose_weighted_iter (#1632)
• Pub export Xoshiro128PlusPlus, Xoshiro256PlusPlus prngs (#1649)
• Pub export ChaCha8Rng, ChaCha12Rng, ChaCha20Rng behind chacha feature (#1659)
• Fn rand::make_rng() -> R where R: SeedableRng (#1734)

Removals

• Removed ReseedingRng (#1722)
• Removed unused feature "nightly" (#1732)
• Removed feature small_rng (#1732)

#1632: rust-random/rand#1632 #1642: rust-random/rand#1642 #1649: rust-random/rand#1649 #1652: rust-random/rand#1652 #1653: rust-random/rand#1653 #1659: rust-random/rand#1659 #1665: rust-random/rand#1665 #1669: rust-random/rand#1669 #1674: rust-random/rand#1674 #1677: rust-random/rand#1677 #1693: rust-random/rand#1693 #1695: rust-random/rand#1695 #1697: rust-random/rand#1697

... (truncated)

Commits

• 27ff4cb Prepare v0.10.1: deprecate feature log (#1763)
• 98d0638 make_rng: document panic and add #[track_caller] (#1761)
• 54e5eaa Fix doc error (#1758)
• 1ce4c08 Bump itoa from 1.0.17 to 1.0.18 in the all-deps group (#1756)
• ccb734b docs: fix typo in doc comment (#1754)
• 357eb7d Bump libc from 0.2.182 to 0.2.183 in the all-deps group (#1753)
• 5e77fe5 Fix trait references in documentation (#1752)
• da89185 Bump the all-deps group with 3 updates (#1751)
• 50516ff Bump the all-deps group with 2 updates (#1749)
• fd71de9 Bump the all-deps group with 2 updates (#1747)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[mskrzypkows]

@claude fix builds

[claude]

Claude finished @mskrzypkows's task in 7m 57s —— View job

---

Fixing builds for rand 0.8 → 0.10 bump

• Inspect Cargo diff and identify affected crates
• Pull failing CI logs (build + clippy)
• Assess feasibility of the bump
• Revert the bump so CI goes green
• Commit and push (2704b3e)

Why I reverted instead of migrating

The dependabot bump from rand 0.8.6 → rand 0.10.1 cannot be made to build by editing call sites alone. The root cause shown in CI (build job 76682833251) is two incompatible rand_core versions coexisting in the dep graph:

the trait bound `StdRng: rand_core::RngCore` is not satisfied
note: there are multiple different versions of crate `rand_core` in the dependency graph
  rand_core 0.6.4   <- expected (frost, crypto, dkg, testutil trait bounds)
  rand_core 0.10.1  <- found    (pulled in by rand 0.10)

The crypto stack (frost, crypto, dkg) bounds its generics on rand_core::{RngCore, CryptoRng} from rand_core 0.6, and k256's elliptic_curve re-exports rand_core 0.6 too. As long as those upstream deps stay on rand_core 0.6, a StdRng from rand 0.10 is a different concrete type than the one those bounds accept — no amount of local call-site fixes can bridge that.

Even setting that aside, rand 0.9/0.10 introduced sweeping breaking renames across the whole workspace surface:

• Rng trait → RngExt, RngCore (re-exported) is the new name in rand_core 0.10
• OsRng → SysRng, os_rng → sys_rng
• SliceRandom → IndexedRandom, choose_multiple → sample
• SeedableRng::from_os_rng removed
• StdRng no longer implements Clone
• small_rng feature removed; rand_chacha replaced by chacha20 internally

Recommendation

Close this PR (or @dependabot ignore rand major version until the crypto deps move). A proper migration should land as a planned change that:

1. Waits for / coordinates with blst-using crates and k256/elliptic_curve upgrading to rand_core 0.10, or introduces a small adapter wrapping rand_core 0.10 RNGs to expose rand_core 0.6 traits.
2. Bumps rand and rand_core workspace deps together.
3. Migrates trait bounds (RngCore → Rng) and renames (OsRng, SliceRandom, choose_multiple, …) across all 12 affected source files.

Files touched

• Cargo.toml — reverted rand = "0.10" back to "0.8"
• Cargo.lock — reverted the 10 pluto-crate rand 0.10.1 references back to rand 0.8.6 (left the ferroid transitive rand 0.10.1 entry intact since it predates this PR)
  · Branch: dependabot/cargo/cargo-1b821729d8

[mskrzypkows]

cannot be updated yet

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml