From 6796d964a0721cf344efee072ae5f015b41443d7 Mon Sep 17 00:00:00 2001
From: Iain McGinniss <309153+iainmcgin@users.noreply.github.com>
Date: Wed, 6 May 2026 00:19:22 +0000
Subject: [PATCH] deps: bump rand to 0.9.4 in gen-datasets
 (GHSA-cq8v-f236-94qc)

rand 0.9.0-0.9.2 has a soundness bug (aliased &mut in ThreadRng's
RngCore methods when a custom logger re-enters rand::rng() during a
reseed). Patched in 0.9.3; cargo update picked 0.9.4. The trigger
conditions (custom log::Log impl + thread_rng feature + trace-level
logging + reseed mid-call) don't apply to the dataset generator, which
is a one-shot CLI with no logger, so this is hygiene only.

The only Cargo.lock with rand is benchmarks/gen-datasets/ (a dev tool,
not a published crate). The deterministic fixtures (api_response.pb,
analytics_event.pb, google_message1_proto3.pb) are byte-identical
under 0.9.4 - verified with task gen-datasets - so no fixture churn.

Drive-by Taskfile doc fix: media_frame.pb is also process-
nondeterministic (map<string, bytes> attachments field encodes in
HashMap iteration order), same as log_record.pb. The doc only mentioned
log_record.pb because media_frame.pb was added later in PR #61.
---
 Taskfile.yml                       | 9 +++++----
 benchmarks/gen-datasets/Cargo.lock | 4 ++--
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/Taskfile.yml b/Taskfile.yml
index 7ca22da..b129cd4 100644
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -243,10 +243,11 @@ tasks:
   gen-datasets:
     desc: >-
       Regenerate benchmark datasets from the gen-datasets binary. Uses a fixed
-      RNG seed, so api_response.pb and analytics_event.pb are byte-reproducible.
-      log_record.pb is NOT — its map<string,string> field encodes in HashMap
-      iteration order (random per process). Don't commit log_record.pb churn
-      unless the schema or generator logic changed.
+      RNG seed, so api_response.pb, analytics_event.pb, and
+      google_message1_proto3.pb are byte-reproducible. log_record.pb and
+      media_frame.pb are NOT — their map fields encode in HashMap iteration
+      order (random per process). Don't commit log_record.pb or media_frame.pb
+      churn unless the schema or generator logic changed.
     dir: benchmarks/gen-datasets
     cmds:
       - cargo run
diff --git a/benchmarks/gen-datasets/Cargo.lock b/benchmarks/gen-datasets/Cargo.lock
index 8e8705e..6750552 100644
--- a/benchmarks/gen-datasets/Cargo.lock
+++ b/benchmarks/gen-datasets/Cargo.lock
@@ -255,9 +255,9 @@ checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
 
 [[package]]
 name = "rand"
-version = "0.9.2"
+version = "0.9.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
+checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea"
 dependencies = [
  "rand_chacha",
  "rand_core",