[TD-03] `getrandom` linked in four versions (0.2 / 0.3 / 0.4 x2) — feature-unification risk for WASM

[intendednull]

Commit: 2f26d91 · Finding: TD-03

Problem

cargo tree -d shows four copies of getrandom (0.2, 0.3, 0.4 ×2 with different feature sets). CLAUDE.md already documents the "getrandom needs the js (v0.2) / wasm_js (v0.3) features on WASM" caveat. Four versions makes that caveat brittle — any new crate adding randomness must pick the correct version + feature.

Fix

• Audit direct getrandom deps in every workspace Cargo.toml; pin to a single version where possible.
• Add getrandom = { version = "0.3", features = ["wasm_js"] } at the workspace level and rely on cargo's unification.

Obvious fix — will be auto-PR'd.

[intendednull]

Auto-fix implementer report (commit 49855e2):

Re-ran cargo tree -d -i getrandom on both targets. Today there are 3 versions, not 4 (the audit's 0.4 ×2 was build-script vs target separation, now resolved). Each is pinned by a different upstream crate we don't own:

• 0.2.17 — aes-gcm 0.10 / chacha20poly1305 0.10 (latest stable; 0.11 still RC)
• 0.3.4 — ahash (transitive via hashbrown/dashmap → iroh-relay, leptos, rusqlite); also rand 0.9
• 0.4.2 — iroh 0.98 ecosystem (iroh, iroh-base, iroh-gossip, noq-proto); rand 0.10 (transitive); uuid proc-macro via leptos_macro

The proposed fix in the issue body — getrandom = { version = "0.3", features = ["wasm_js"] } at workspace level — won't unify these, because cargo resolves each major version range independently. Crates locked to 0.2 (aes-gcm 0.10) or 0.4 (iroh 0.98) ignore a 0.3 workspace pin.

The existing per-crate getrandom_02 / getrandom_03 feature-forcing shim in willow-identity / willow-crypto / willow-messaging is already the correct WASM-safe pattern. Removing it would break WASM builds.

Per the resolving-issues workflow this is Category 3 (architectural) — not auto-PR'able. No sub-PR opened. Filed #481 documenting the holdout chain and recommending close-as-not-planned until aes-gcm 0.11 ships stable.

---

Generated by Claude Code

[intendednull]

Close per follow-up #481 reco. Three-way getrandom split structural — pinned by aes-gcm 0.10, ahash, iroh 0.98 upstream. Workspace [patch] no fix; cargo update no help (all at latest of major). Re-evaluate when upstream domino lands. Audit's intent stale → not_planned. Tracker stays open at #481.

---

Generated by Claude Code