Background
RUSTSEC-2026-0097 was published on 2026-04-11 and flags rand >= 0.7.0, < 0.9.3 (and 0.10.0) as unsound. The patched versions are >= 0.9.3 or >= 0.10.1.
Our dependency chain: dashcore (feature bls) → blsful v3.0.0 (pinned git rev 0c34a7a4) → rand 0.8.5.
Current workaround
RUSTSEC-2026-0097 is currently ignored in deny.toml because upgrading requires blsful to update its rand dependency first.
Task
- Check whether
agora-blsful has a commit/tag that depends on rand >= 0.9.3 or >= 0.10.1.
- Update the
blsful git rev (or version) in dash/Cargo.toml accordingly.
- Verify the BLS feature still compiles and tests pass:
cargo test -p dashcore --features bls.
- Remove the
RUSTSEC-2026-0097 ignore entry from deny.toml.
References
Background
RUSTSEC-2026-0097 was published on 2026-04-11 and flags
rand >= 0.7.0, < 0.9.3(and0.10.0) as unsound. The patched versions are>= 0.9.3or>= 0.10.1.Our dependency chain:
dashcore(featurebls) →blsful v3.0.0(pinned git rev0c34a7a4) →rand 0.8.5.Current workaround
RUSTSEC-2026-0097 is currently ignored in
deny.tomlbecause upgrading requiresblsfulto update itsranddependency first.Task
agora-blsfulhas a commit/tag that depends onrand >= 0.9.3or>= 0.10.1.blsfulgit rev (or version) indash/Cargo.tomlaccordingly.cargo test -p dashcore --features bls.RUSTSEC-2026-0097ignore entry fromdeny.toml.References
logrust-random/rand#1763