From f351da3fc235b1aee49de3fd44610c244b356fea Mon Sep 17 00:00:00 2001 From: Raffael Schneider Date: Thu, 16 Apr 2026 18:21:56 +0200 Subject: [PATCH] fix(deps): bump rand from 0.8 to 0.9 to fix unsoundness advisory Addresses RUSTSEC advisory for rand <0.9.3 (unsound with custom loggers using rand::rng()). Mechanical API migration across 7 crates: - thread_rng() -> rng() - .gen() -> .random() - .gen_range() -> .random_range() - SliceRandom -> IndexedRandom - rand::prelude::ThreadRng -> rand::rngs::ThreadRng - rand::distributions -> rand::distr --- pingora-cache/Cargo.toml | 2 +- pingora-cache/src/eviction/lru.rs | 2 +- pingora-cache/src/eviction/simple_lru.rs | 2 +- pingora-core/Cargo.toml | 2 +- pingora-core/src/connectors/l4.rs | 4 ++-- pingora-core/src/connectors/offload.rs | 4 ++-- pingora-limits/Cargo.toml | 2 +- pingora-limits/benches/benchmark.rs | 6 +++--- pingora-load-balancing/Cargo.toml | 2 +- pingora-load-balancing/src/selection/algorithms.rs | 4 ++-- pingora-lru/Cargo.toml | 2 +- pingora-lru/benches/bench_lru.rs | 10 +++++----- pingora-proxy/Cargo.toml | 2 +- pingora-proxy/src/proxy_cache.rs | 4 ++-- pingora-runtime/Cargo.toml | 2 +- pingora-runtime/src/lib.rs | 8 ++++---- 16 files changed, 29 insertions(+), 29 deletions(-) diff --git a/pingora-cache/Cargo.toml b/pingora-cache/Cargo.toml index 401d827c..e82a2393 100644 --- a/pingora-cache/Cargo.toml +++ b/pingora-cache/Cargo.toml @@ -46,7 +46,7 @@ ahash = { workspace = true } hex = "0.4" httparse = { workspace = true } strum = { version = "0.26", features = ["derive"] } -rand = "0.8" +rand = "0.9" [dev-dependencies] tokio-test = "0.4" diff --git a/pingora-cache/src/eviction/lru.rs b/pingora-cache/src/eviction/lru.rs index d241ee69..03db7fee 100644 --- a/pingora-cache/src/eviction/lru.rs +++ b/pingora-cache/src/eviction/lru.rs @@ -253,7 +253,7 @@ impl EvictionManager for Manager { let dir_path = Path::new(&dir_path); let final_path = dir_path.join(format!("{}.{i}", FILE_NAME)); // create a temporary filename using a randomized u32 hash to minimize the chance of multiple writers writing to the same tmp file - let random_suffix: u32 = rand::thread_rng().gen(); + let random_suffix: u32 = rand::rng().random(); let temp_path = dir_path.join(format!("{}.{i}.{:08x}.tmp", FILE_NAME, random_suffix)); let mut file = File::create(&temp_path) diff --git a/pingora-cache/src/eviction/simple_lru.rs b/pingora-cache/src/eviction/simple_lru.rs index 1c887552..7c4f841b 100644 --- a/pingora-cache/src/eviction/simple_lru.rs +++ b/pingora-cache/src/eviction/simple_lru.rs @@ -280,7 +280,7 @@ impl EvictionManager for Manager { let final_file_path = dir_path.join(FILE_NAME); // create a temporary filename using a randomized u32 hash to minimize the chance of multiple writers writing to the same tmp file - let random_suffix: u32 = rand::thread_rng().gen(); + let random_suffix: u32 = rand::rng().random(); let temp_file_path = dir_path.join(format!("{}.{:08x}.tmp", FILE_NAME, random_suffix)); let mut file = File::create(&temp_file_path).or_err_with(InternalError, || { format!("fail to create temporary file {}", temp_file_path.display()) diff --git a/pingora-core/Cargo.toml b/pingora-core/Cargo.toml index 926bfbb8..8e35d2bc 100644 --- a/pingora-core/Cargo.toml +++ b/pingora-core/Cargo.toml @@ -61,7 +61,7 @@ parking_lot = { version = "0.12", features = ["arc_lock"] } socket2 = { version = ">=0.4, <1.0.0", features = ["all"] } flate2 = { version = "1", features = ["zlib-ng"], default-features = false } sfv = "0.10.4" -rand = "0.8" +rand = "0.9" ahash = { workspace = true } unicase = "2" brotli = "3" diff --git a/pingora-core/src/connectors/l4.rs b/pingora-core/src/connectors/l4.rs index bd7439d4..8d598197 100644 --- a/pingora-core/src/connectors/l4.rs +++ b/pingora-core/src/connectors/l4.rs @@ -24,7 +24,7 @@ use crate::upstreams::peer::Peer; use async_trait::async_trait; use log::debug; use pingora_error::{Context, Error, ErrorType::*, OrErr, Result}; -use rand::seq::SliceRandom; +use rand::seq::IndexedRandom; use std::net::SocketAddr as InetSocketAddr; #[cfg(unix)] use std::os::unix::io::AsRawFd; @@ -222,7 +222,7 @@ pub(crate) fn bind_to_random( 1 => Some(ips[0]), _ => { // pick a random bind ip - ips.choose(&mut rand::thread_rng()).copied() + ips.choose(&mut rand::rng()).copied() } } } diff --git a/pingora-core/src/connectors/offload.rs b/pingora-core/src/connectors/offload.rs index fe2d1c72..7483056a 100644 --- a/pingora-core/src/connectors/offload.rs +++ b/pingora-core/src/connectors/offload.rs @@ -64,13 +64,13 @@ impl OffloadRuntime { } pub fn get_runtime(&self, hash: u64) -> &Handle { - let mut rng = rand::thread_rng(); + let mut rng = rand::rng(); // choose a shard based on hash and a random thread with in that shard // e.g. say thread_per_shard=2, shard 1 thread 1 is 1 * 2 + 1 = 3 // [[th0, th1], [th2, th3], ...] let shard = hash as usize % self.shards; - let thread_in_shard = rng.gen_range(0..self.thread_per_shard); + let thread_in_shard = rng.random_range(0..self.thread_per_shard); let pools = self.pools.get_or_init(|| self.init_pools()); &pools[shard * self.thread_per_shard + thread_in_shard].0 } diff --git a/pingora-limits/Cargo.toml b/pingora-limits/Cargo.toml index 64edfd10..6567c938 100644 --- a/pingora-limits/Cargo.toml +++ b/pingora-limits/Cargo.toml @@ -18,7 +18,7 @@ path = "src/lib.rs" ahash = { workspace = true } [dev-dependencies] -rand = "0.8" +rand = "0.9" dashmap = "5" dhat = "0" float-cmp = "0.9.0" diff --git a/pingora-limits/benches/benchmark.rs b/pingora-limits/benches/benchmark.rs index 4eaa881a..81c2746a 100644 --- a/pingora-limits/benches/benchmark.rs +++ b/pingora-limits/benches/benchmark.rs @@ -19,8 +19,8 @@ static ALLOC: dhat::Alloc = dhat::Alloc; use ahash::RandomState; use dashmap::DashMap; use pingora_limits::estimator::Estimator; -use rand::distributions::Uniform; -use rand::{thread_rng, Rng}; +use rand::distr::Uniform; +use rand::{rng, Rng}; use std::collections::HashMap; use std::sync::atomic::{AtomicUsize, Ordering}; use std::sync::Arc; @@ -82,7 +82,7 @@ fn run_bench( distribution: &Uniform, test_name: &str, ) { - let mut rng = thread_rng(); + let mut rng = rng(); let before = Instant::now(); for _ in 0..samples { let event: u32 = rng.sample(distribution); diff --git a/pingora-load-balancing/Cargo.toml b/pingora-load-balancing/Cargo.toml index d6f5d41e..2a77eb46 100644 --- a/pingora-load-balancing/Cargo.toml +++ b/pingora-load-balancing/Cargo.toml @@ -25,7 +25,7 @@ pingora-ketama = { version = "0.8.0", path = "../pingora-ketama" } pingora-runtime = { version = "0.8.0", path = "../pingora-runtime" } arc-swap = "1" fnv = "1" -rand = "0.8" +rand = "0.9" tokio = { workspace = true } futures = "0" log = { workspace = true } diff --git a/pingora-load-balancing/src/selection/algorithms.rs b/pingora-load-balancing/src/selection/algorithms.rs index cd296c45..3639da41 100644 --- a/pingora-load-balancing/src/selection/algorithms.rs +++ b/pingora-load-balancing/src/selection/algorithms.rs @@ -55,7 +55,7 @@ impl SelectionAlgorithm for Random { } fn next(&self, _key: &[u8]) -> u64 { use rand::Rng; - let mut rng = rand::thread_rng(); - rng.gen() + let mut rng = rand::rng(); + rng.random() } } diff --git a/pingora-lru/Cargo.toml b/pingora-lru/Cargo.toml index 3eae82b9..9609c41e 100644 --- a/pingora-lru/Cargo.toml +++ b/pingora-lru/Cargo.toml @@ -20,7 +20,7 @@ path = "src/lib.rs" hashbrown = "0" parking_lot = "0" arrayvec = "0" -rand = "0.8" +rand = "0.9" [dev-dependencies] lru = { workspace = true } diff --git a/pingora-lru/benches/bench_lru.rs b/pingora-lru/benches/bench_lru.rs index c0bdc776..f7e599c7 100644 --- a/pingora-lru/benches/bench_lru.rs +++ b/pingora-lru/benches/bench_lru.rs @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -use rand::distributions::WeightedIndex; +use rand::distr::WeightedIndex; use rand::prelude::*; use std::sync::Arc; use std::thread; @@ -42,7 +42,7 @@ fn main() { } // single thread - let mut rng = thread_rng(); + let mut rng = rand::rng(); let dist = WeightedIndex::new(WEIGHTS).unwrap(); let before = Instant::now(); @@ -82,7 +82,7 @@ fn main() { for i in 0..THREADS { let lru = lru.clone(); let handler = thread::spawn(move || { - let mut rng = thread_rng(); + let mut rng = rand::rng(); let dist = WeightedIndex::new(WEIGHTS).unwrap(); let before = Instant::now(); for _ in 0..ITERATIONS { @@ -106,7 +106,7 @@ fn main() { for i in 0..THREADS { let plru = plru.clone(); let handler = thread::spawn(move || { - let mut rng = thread_rng(); + let mut rng = rand::rng(); let dist = WeightedIndex::new(WEIGHTS).unwrap(); let before = Instant::now(); for _ in 0..ITERATIONS { @@ -128,7 +128,7 @@ fn main() { for i in 0..THREADS { let plru = plru.clone(); let handler = thread::spawn(move || { - let mut rng = thread_rng(); + let mut rng = rand::rng(); let dist = WeightedIndex::new(WEIGHTS).unwrap(); let before = Instant::now(); for _ in 0..ITERATIONS { diff --git a/pingora-proxy/Cargo.toml b/pingora-proxy/Cargo.toml index c685b8c4..b60b1a7b 100644 --- a/pingora-proxy/Cargo.toml +++ b/pingora-proxy/Cargo.toml @@ -33,7 +33,7 @@ h2 = { workspace = true } once_cell = { workspace = true } clap = { version = "4", features = ["derive"] } regex = "1" -rand = "0.8" +rand = "0.9" [dev-dependencies] reqwest = { version = "0.11", features = [ diff --git a/pingora-proxy/src/proxy_cache.rs b/pingora-proxy/src/proxy_cache.rs index 43b2ace9..af74914d 100644 --- a/pingora-proxy/src/proxy_cache.rs +++ b/pingora-proxy/src/proxy_cache.rs @@ -1302,8 +1302,8 @@ pub mod range_filter { // and it must not match the body content. fn generate_boundary() -> String { use rand::Rng; - let mut rng: rand::prelude::ThreadRng = rand::thread_rng(); - format!("{:016x}", rng.gen::()) + let mut rng: rand::rngs::ThreadRng = rand::rng(); + format!("{:016x}", rng.random::()) } pub fn calculate_multipart_length(&self) -> usize { let mut total_length = 0; diff --git a/pingora-runtime/Cargo.toml b/pingora-runtime/Cargo.toml index 5de4f26b..0927ca9d 100644 --- a/pingora-runtime/Cargo.toml +++ b/pingora-runtime/Cargo.toml @@ -17,7 +17,7 @@ name = "pingora_runtime" path = "src/lib.rs" [dependencies] -rand = "0.8" +rand = "0.9" tokio = { workspace = true, features = ["rt-multi-thread", "sync", "time"] } once_cell = { workspace = true } thread_local = "1" diff --git a/pingora-runtime/src/lib.rs b/pingora-runtime/src/lib.rs index a0468f4f..bc97c1c4 100644 --- a/pingora-runtime/src/lib.rs +++ b/pingora-runtime/src/lib.rs @@ -93,8 +93,8 @@ pub fn current_handle() -> Handle { if let Some(pools) = CURRENT_HANDLE.get() { // safety: the CURRENT_HANDLE is set when the pool is being initialized in init_pools() let pools = pools.get().unwrap(); - let mut rng = rand::thread_rng(); - let index = rng.gen_range(0..pools.len()); + let mut rng = rand::rng(); + let index = rng.random_range(0..pools.len()); pools[index].clone() } else { // not NoStealRuntime, just check the current tokio runtime @@ -153,9 +153,9 @@ impl NoStealRuntime { /// Return the &[Handle] of a random thread of this runtime pub fn get_runtime(&self) -> &Handle { - let mut rng = rand::thread_rng(); + let mut rng = rand::rng(); - let index = rng.gen_range(0..self.threads); + let index = rng.random_range(0..self.threads); self.get_runtime_at(index) }