Update Rust crate rand to 0.10.0

[hash-worker]

This PR contains the following updates:

Package	Type	Update	Change
rand (source)	workspace.dependencies	minor	0.9.2 -> 0.10.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

rust-random/rand (rand)

v0.10.1

Compare Source

This release includes a fix for a soundness bug; see #​1763.

Changes

• Document panic behavior of make_rng and add #[track_caller] (#​1761)
• Deprecate feature log (#​1763)

v0.10.0

Compare Source

Changes

• The dependency on rand_chacha has been replaced with a dependency on chacha20. This changes the implementation behind StdRng, but the output remains the same. There may be some API breakage when using the ChaCha-types directly as these are now the ones in chacha20 instead of rand_chacha (#​1642).
• Rename fns IndexedRandom::choose_multiple -> sample, choose_multiple_array -> sample_array, choose_multiple_weighted -> sample_weighted, struct SliceChooseIter -> IndexedSamples and fns IteratorRandom::choose_multiple -> sample, choose_multiple_fill -> sample_fill (#​1632)
• Use Edition 2024 and MSRV 1.85 (#​1653)
• Let Fill be implemented for element types, not sliceable types (#​1652)
• Fix OsError::raw_os_error on UEFI targets by returning Option<usize> (#​1665)
• Replace fn TryRngCore::read_adapter(..) -> RngReadAdapter with simpler struct RngReader (#​1669)
• Remove fns SeedableRng::from_os_rng, try_from_os_rng (#​1674)
• Remove Clone support for StdRng, ReseedingRng (#​1677)
• Use postcard instead of bincode to test the serde feature (#​1693)
• Avoid excessive allocation in IteratorRandom::sample when amount is much larger than iterator size (#​1695)
• Rename os_rng -> sys_rng, OsRng -> SysRng, OsError -> SysError (#​1697)
• Rename Rng -> RngExt as upstream rand_core has renamed RngCore -> Rng (#​1717)

Additions

• Add fns IndexedRandom::choose_iter, choose_weighted_iter (#​1632)
• Pub export Xoshiro128PlusPlus, Xoshiro256PlusPlus prngs (#​1649)
• Pub export ChaCha8Rng, ChaCha12Rng, ChaCha20Rng behind chacha feature (#​1659)
• Fn rand::make_rng() -> R where R: SeedableRng (#​1734)

Removals

• Removed ReseedingRng (#​1722)
• Removed unused feature "nightly" (#​1732)
• Removed feature small_rng (#​1732)

---

Configuration

📅 Schedule: Branch creation - "before 4am every weekday,every weekend" (UTC), Automerge - "before 4am every weekday,every weekend" (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hash	Error		Apr 27, 2026 2:25pm
hashdotdesign-tokens	Ready	Preview, Comment	Apr 27, 2026 2:25pm
petrinaut	Ready	Preview, Comment	Apr 27, 2026 2:25pm

[cursor]

PR Summary

Medium Risk
Dependency-only change, but rand 0.10.0 includes API/behavior changes that may break compilation or subtly affect randomness-dependent behavior at runtime.

Overview
Updates the workspace dependency on rand from 0.9.2 to 0.10.0 in Cargo.toml, keeping default-features = false unchanged.

^{Reviewed by Cursor Bugbot for commit f237359. Bugbot is set up for automated code reviews on this repo. Configure here.}

[augmentcode]

🤖 Augment PR Summary

Summary: Updates the workspace rand dependency from 0.9.x to 0.10.0 to pick up the latest upstream release (including recent fixes).

Changes: Bumps rand version in the root workspace Cargo.toml.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

Since this repo commits Cargo.lock, bumping rand here should also update Cargo.lock (it currently still contains rand 0.9.4 / 0.8.5). Otherwise CI may fail due to a dirty or inconsistent lockfile.

Severity: medium

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[augmentcode]

rand 0.10 includes breaking API renames (notably rand::Rng -> rand::RngExt and rand_core::RngCore -> Rng), and this repo has call sites importing rand::Rng/rand::RngCore (e.g. tests/graph/test-data/rust/src/seeding/context.rs). It’s worth confirming those crates compile under 0.10 before merging.

Severity: high

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 80 untouched benchmarks

---

_{Comparing deps/rs/rand-0.x (f237359) with main (775f4cc)}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.49%. Comparing base (adb5688) to head (f237359).
⚠️ Report is 10 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8658      +/-   ##
==========================================
- Coverage   62.50%   62.49%   -0.01%     
==========================================
  Files        1318     1318              
  Lines      134234   134234              
  Branches     5520     5520              
==========================================
- Hits        83906    83895      -11     
- Misses      49415    49424       +9     
- Partials      913      915       +2     

Flag	Coverage Δ
local.claude-hooks	0.00% <ø> (ø)
local.harpc-client	51.24% <ø> (ø)
rust.antsi	0.00% <ø> (ø)
rust.error-stack	90.87% <ø> (ø)
rust.harpc-codec	84.70% <ø> (ø)
rust.harpc-net	96.21% <ø> (-0.18%)	⬇️
rust.harpc-tower	67.03% <ø> (ø)
rust.harpc-types	0.00% <ø> (ø)
rust.harpc-wire-protocol	92.23% <ø> (ø)
rust.hash-codec	72.76% <ø> (ø)
rust.hash-graph-api	2.52% <ø> (ø)
rust.hash-graph-authorization	62.34% <ø> (ø)
rust.hash-graph-store	37.76% <ø> (ø)
rust.hash-graph-temporal-versioning	47.95% <ø> (ø)
rust.hashql-ast	87.23% <ø> (ø)
rust.hashql-compiletest	29.69% <ø> (ø)
rust.hashql-core	82.29% <ø> (ø)
rust.hashql-diagnostics	72.43% <ø> (ø)
rust.hashql-eval	69.13% <ø> (ø)
rust.hashql-hir	89.06% <ø> (ø)
rust.hashql-mir	92.64% <ø> (ø)
rust.hashql-syntax-jexpr	94.05% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit f237359. Configure here.}

[cursor]

rand 0.10 incompatible with rand_distr 0.5.1

High Severity

Bumping rand to 0.10.0 while leaving rand_distr at 0.5.1 causes a dependency split: rand_distr 0.5.1 depends on rand ^0.9 (and therefore rand_core 0.9), while rand 0.10 uses rand_core 0.10. The Distribution trait re-exported through rand_distr ends up bound to a different Rng/RngCore trait than the one provided by rand 0.10, so calls like Bernoulli::sample(rng) and the workspace's own impl Distribution<…> for … blocks no longer type-check.

 

^{Reviewed by Cursor Bugbot for commit f237359. Configure here.}