chore: update dependencies

[dobby-coder]

Routine dependency scan found outdated direct dependencies.

Outdated direct dependencies

Package	Current	Latest	Kind
pg-core	0.5.10	0.6.0	Normal (major)
rand	0.8.6	0.10.1	Normal + dev

The pg-core major bump tracks the corresponding encryption4all/postguard 0.6.0 release; coordinate with whatever pg-core 0.6.0 exposes (check release notes / breaking changes in pg-core/CHANGELOG.md). rand 0.9/0.10 is a breaking bump.

Security advisories (informational, from cargo audit)

• RUSTSEC-2025-0141 — bincode 1.3.3 unmaintained. Do NOT bump to 3.x (tombstone) and bumping to 2.x does NOT clear the advisory (the advisory covers all versions). Either allowlist in .cargo/audit.toml or migrate off bincode (postcard / bincode-next). Out of scope for this PR unless trivial.
• RUSTSEC-2025-0134 — rustls-pemfile 1.0.4 unmaintained, pulled in transitively via reqwest 0.11 → irma. Resolves naturally if reqwest is bumped to 0.12+, but irma constrains this.

Instructions for the worker

1. Pull the repo.
2. Update all listed dependencies. Security fixes first; then minor/patch; then major (pg-core, rand).
3. For pg-core 0.6.0: read the upstream postguard 0.6.0 CHANGELOG and adapt call sites.
4. For rand 0.8 → 0.10: follow the rand 0.9 migration guide (thread_rng() → rng(), gen() → random(), etc.). The same change is being worked in ibe#29 — check there for a recipe.
5. Build (cargo build) and run the full test suite (cargo test) before pushing. Run cargo fmt (see rules/rust-run-cargo-fmt-before-push.md).
6. Open a draft PR with conventional-commit title chore: update dependencies. Closes #ISSUENUMBER.
7. Assign @rubenhensen as reviewer.
8. Mark ready (gh pr ready) once CI passes.

If pg-core 0.6.0 has breaking changes that bleed into cryptify's runtime surface and the scope balloons, split: ship the rand bump alone and leave a follow-up for pg-core.

[dobby-coder]

/dobby

[dobby-coder]

This agent has scampered in! Dobby sees the dependency scan — pg-core 0.5.10→0.6.0 and rand 0.8→0.10. Dobby will check the lockfile for any already-landed fixes, read the upstream changelogs, and report back with a plan before touching anything. Such important work, yes!

[dobby-coder]

Plan

State on main

• rand is already at 0.10.0 in Cargo.toml (the issue body listed it as 0.8.6, which was stale). Dev-dep alias rand08 = { package = "rand", version = "0.8" } is intentional — pg-core's Sealer / TestSetup still takes a rand 0.8 RNG.
• pg-core 0.5.10 is current. The 0.6.0 release (encryption4all/postguard pg-core-v0.6.0, 2026-05-13) bundles a security fix (bounds-check malformed ciphertext) and the bincode-next migration. No breaking changes touch cryptify's surface (Parameters, VerifyingKey, Unsealer, UnsealerStreamConfig, Sealer, SealerStreamConfig, TestSetup).

Proposed change

• Bump pg-core 0.5.0 → 0.6.0 in [dependencies] and [dev-dependencies] (the manifest req — Cargo.lock will resolve to 0.6.0).
• Leave dev-dep rand08 and runtime rand = "0.10.0" as-is.
• Net lockfile effect: pg-core 0.5.10 → 0.6.0, transitive bincode 1.3.3 → bincode-next 3.0.0-rc.13 (clears RUSTSEC-2025-0141 since bincode-next is a separate crate).
• Verified locally: cargo build, cargo test (86 passed), cargo fmt --all -- --check, cargo clippy --all-targets all green with no source changes.

Out of scope

• RUSTSEC-2025-0134 (rustls-pemfile): transitive via reqwest 0.11 → irma 0.2.1; irma still pins reqwest 0.11, so this needs an irma bump upstream. Not fixable here.

Reviewer

• @rubenhensen

Proceeding to draft PR with conventional-commit title chore: bump pg-core 0.5 → 0.6 and Closes #155.