fix: update rand to 0.9.4 to resolve GHSA-cq8v-f236-94qc#10060
Merged
fix: update rand to 0.9.4 to resolve GHSA-cq8v-f236-94qc#10060
Conversation
Co-Authored-By: Oz <[email protected]>
Contributor
|
I'm starting a first review of this pull request. You can view the conversation on Warp. I completed the review and no human review was requested for this pull request. Comment Powered by Oz |
![oz-for-oss[bot]](https://avatars.githubusercontent.com/in/3450139?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Overview
This PR updates the locked transitive rand 0.9 package from 0.9.1 to 0.9.4 and rewrites the dependent lockfile references to the patched version.
Concerns
No correctness or security concerns were identified in the provided lockfile-only diff.
Verdict
Found: 0 critical, 0 important, 0 suggestions
Approve
Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).
Powered by Oz
danielpeng2
approved these changes
May 4, 2026
wolverine2k
pushed a commit
to wolverine2k/warp
that referenced
this pull request
May 5, 2026
…10060) Co-authored-by: Oz <[email protected]>
Leejaywell
pushed a commit
to Leejaywell/warp
that referenced
this pull request
May 5, 2026
…10060) Co-authored-by: Oz <[email protected]>
Leejaywell
added a commit
to Leejaywell/warp
that referenced
this pull request
May 5, 2026
Cherry-picked from upstream: - fix: highlight C++ header extensions (warpdotdev#9388) - Run executable shell scripts in the terminal (warpdotdev#9503) - Revert schema generator binary recompilation fix (warpdotdev#9676) - Remove stray backticks from Windows installer README (warpdotdev#9691) - Fix chord shortcuts on Windows non-Latin keyboard layouts (warpdotdev#9476) - Scroll output with Page Up/Down from prompt (warpdotdev#9624) - Respect Markdown Viewer setting for .md links in AI rules/facts panel (warpdotdev#9699) - fix: disable reset grid checks for restored blocks on Windows (warpdotdev#9987) - add RedirectionGuard=no to windows-installer.iss (warpdotdev#9863) - Windows quake mode window correctly sized (warpdotdev#9891) - fix: update rand to 0.9.4 (GHSA-cq8v-f236-94qc) (warpdotdev#10060) - Fix diff button when Show code review button toggle is off (warpdotdev#9600) - Fix freshly cloned repo stuck in loading state (warpdotdev#9998) - Fix terminal text selection not auto-scrolling when dragging (warpdotdev#9448) - Resolve conflict markers from 3f0ac51 and edac651
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updates the transitive dependency
randfrom 0.9.1 to 0.9.4 to resolve GHSA-cq8v-f236-94qc (RUSTSEC-2026-0097).Vulnerability Details
rand::rng()What Changed
Cargo.lock:rand0.9.1 → 0.9.4 (transitive dependency, pulled in byactix-http,quinn-proto,sentry-core,tokenizers,candle-core, and others)randdependency remains at 0.8.6 (unaffected by this advisory)Dependabot Error
Dependabot reported
security_update_not_possibleclaiming the max installable version was 0.9.1. However,cargo update -p [email protected]successfully resolved to 0.9.4 without any conflicts.Verification
cargo auditconfirms GHSA-cq8v-f236-94qc / RUSTSEC-2026-0097 no longer appearsConversation: https://staging.warp.dev/conversation/1e0f1592-cbd6-4750-8423-7f910f6e48ae
Run: https://oz.staging.warp.dev/runs/019df3b7-d9a0-7c25-9c32-022e308172b4
This PR was generated with Oz.