Commit: 2f26d91 · Finding: DEP-02
Problem
cargo tree -d shows rand in three concurrent majors:
rand 0.8.5 — crates/crypto/Cargo.toml, crates/agent/Cargo.tomlrand 0.9.2 — crates/identity/Cargo.tomlrand 0.10.0 — via rmcp in willow-agent
cargo audit reports RUSTSEC-2026-0097 (unsoundness when a custom logger calls rand::rng()) across all three. The unsoundness is real but not direct RCE; the bigger issue is security-critical code paths (crypto key gen vs identity) use non-interoperable rand majors.
Fix
- Add
rand = "0.9" to [workspace.dependencies] in the root Cargo.toml.
- Switch
crates/crypto and crates/identity to the workspace version.
- Accept
rand 0.10 in transitive rmcp path (MCP transport only, not key material) until rmcp upgrades.
- Re-run
cargo audit to confirm unsoundness advisory is no longer pinned to willow-authored crates.
Commit:
2f26d91· Finding:DEP-02Problem
cargo tree -dshowsrandin three concurrent majors:rand 0.8.5—crates/crypto/Cargo.toml,crates/agent/Cargo.tomlrand 0.9.2—crates/identity/Cargo.tomlrand 0.10.0— viarmcpinwillow-agentcargo auditreports RUSTSEC-2026-0097 (unsoundness when a custom logger callsrand::rng()) across all three. The unsoundness is real but not direct RCE; the bigger issue is security-critical code paths (crypto key gen vs identity) use non-interoperablerandmajors.Fix
rand = "0.9"to[workspace.dependencies]in the rootCargo.toml.crates/cryptoandcrates/identityto the workspace version.rand 0.10in transitive rmcp path (MCP transport only, not key material) until rmcp upgrades.cargo auditto confirm unsoundness advisory is no longer pinned to willow-authored crates.