chore: merge all dependency upgrades and fix critical security vulnerability#746
Merged
chore: merge all dependency upgrades and fix critical security vulnerability#746
Conversation
- Upgrade jsonwebtoken from 9.3.1 to 10.3.0 (fixes CVE-2026-25537 Type Confusion vulnerability allowing authorization bypass) - Upgrade rand from 0.8.5 to 0.9.1 with updated API calls - Upgrade rand_chacha to 0.9 for compatibility with rand 0.9 - Upgrade clap to 4.5.53 - Upgrade windows to 0.62.0 - Update all rand API usages: gen() -> random(), gen_range() -> random_range(), gen_bool() -> random_bool() - Update trait imports to use IndexedRandom and SliceRandom as needed - Enable std and std_rng features for rand
This was referenced Feb 9, 2026
|
⏱️ Benchmark run finished in 0m 31s 📈 Compared against baseline: 30s 🟢 Generation time is unchanged. 📅 Last benchmark: 2026-02-09 13:36:08 UTC You can retrigger the benchmark by commenting |
Contributor
There was a problem hiding this comment.
Pull request overview
Consolidates multiple dependency upgrades (notably rand 0.9, clap, and windows) and attempts to remediate a jsonwebtoken security advisory by upgrading to jsonwebtoken 10.x, along with the associated Rust API migrations across element processing and data retrieval.
Changes:
- Bump
rand/rand_chachato 0.9 and migrate RNG APIs (gen_*→random_*,thread_rng→rng) across the codebase. - Add/upgrade
jsonwebtokento 10.3.0 and regenerateCargo.lock. - Minor dependency bumps (
clap,windows) and update call sites accordingly.
Reviewed changes
Copilot reviewed 12 out of 13 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| Cargo.toml | Updates dependency versions (incl. rand 0.9 + features, adds jsonwebtoken 10.3.0). |
| Cargo.lock | Regenerated lockfile reflecting new dependency graph (incl. multiple jsonwebtoken / windows versions). |
| src/retrieve_data.rs | Updates random server selection to new rand 0.9 APIs/traits. |
| src/deterministic_rng.rs | Updates deterministic RNG docs/tests to new rand APIs (partial). |
| src/block_definitions.rs | Migrates nondeterministic RNG usage to rand 0.9 APIs. |
| src/element_processing/amenities.rs | Migrates RNG usage and updates trait imports for choose/shuffle. |
| src/element_processing/advertising.rs | Migrates gen_range usage to random_range. |
| src/element_processing/buildings.rs | Migrates multiple RNG calls to rand 0.9 API equivalents. |
| src/element_processing/historic.rs | Migrates gen_bool usage to random_bool. |
| src/element_processing/landuse.rs | Migrates RNG calls to rand 0.9 API equivalents. |
| src/element_processing/leisure.rs | Migrates RNG calls to rand 0.9 API equivalents. |
| src/element_processing/natural.rs | Migrates RNG calls to rand 0.9 API equivalents (incl. random::<T>()). |
| src/element_processing/tree.rs | Migrates gen_range usage to random_range. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Replace deprecated gen::<T>() calls with random::<T>() in deterministic_rng tests - Disable bedrock feature by default to prevent transitive jsonwebtoken 9.3.1 dependency - This ensures jsonwebtoken CVE-2026-25537 fix is complete (no version downgrade via bedrock deps) - Users can still enable bedrock feature with: cargo build --release --features bedrock
- Replace deprecated gen::<T>() calls with random::<T>() in deterministic_rng tests - Suppress dead_code warnings for bedrock-only fields with conditional compilation - Note: bedrockrs dependencies currently pull jsonwebtoken 9.3.1 transitively - This will be resolved when bedrockrs updates their jsonwebtoken dependency - Direct dependency on jsonwebtoken 10.3.0 is in place for non-bedrock code paths
louis-e
force-pushed
the
security-updates-dependabot
branch
from
f08d698 to
e4939dc
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 13 out of 14 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Consolidates all pending Dependabot updates plus critical security fix into a single comprehensive PR.
Fixes
Dependency Upgrades
Major Version Changes
Minor/Patch Updates
Changes Made
Cargo.toml
stdandstd_rngfeatures for randSource Code (Rust API migration)
Updated all rand 0.8 API calls to rand 0.9:
gen()→random()gen_range()→random_range()gen_bool()→random_bool()thread_rng()→rng()Trait Imports
SliceRandomtoIndexedRandomandSliceRandomas appropriateFiles Modified
Verification
✅ Code compiles successfully with all changes
✅ All 13 files updated correctly
✅ Cargo.lock regenerated with compatible versions
✅ jsonwebtoken 10.3.0 in dependency tree (security vulnerability fixed)
Related PRs
This PR supersedes and closes:
Additionally addresses security alert: https://github.com/louis-e/arnis/security/dependabot/12