fix(deps): update rust crate rand_core to 0.9

[ham-renovate]

This PR contains the following updates:

Package	Type	Update	Change
rand_core (source)	dependencies	minor	0.6 → 0.9

---

Release Notes

rust-random/rand_core (rand_core)

v0.9.0

Compare Source

API changes

• Add TryRngCore::unwrap_mut, providing an impl of RngCore over &mut rng (rand#1589)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[ham-renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: infrastructure/eid-wallet/src-tauri/Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path infrastructure/eid-wallet/src-tauri/Cargo.toml --package rand_core@0.6.4 --precise 0.9.0
    Updating crates.io index
error: failed to select a version for the requirement `rand_core = "^0.6.4"`
candidate versions found which didn't match: 0.9.0
location searched: crates.io index
required by package `password-hash v0.5.0`
    ... which satisfies dependency `password-hash = "^0.5"` (locked to 0.5.0) of package `argon2 v0.5.3`
    ... which satisfies dependency `argon2 = "^0.5.3"` (locked to 0.5.3) of package `eid-wallet v0.1.0 (/tmp/renovate/repos/github/MetaState-Prototype-Project/prototype/infrastructure/eid-wallet/src-tauri)`

[coderabbitai]

📝 Walkthrough

Walkthrough

A dependency version bump for rand_core from 0.6 to 0.9 in the Tauri wallet project's Cargo.toml manifest, maintaining the "std" feature flag with no changes to build configuration or control flow.

Changes

Cohort / File(s)	Summary
Dependency Update infrastructure/eid-wallet/src-tauri/Cargo.toml	Updated rand_core dependency from version 0.6 to 0.9 while retaining the "std" feature flag.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 Hopping through deps with glee so bright,
Rand_core climbs from six to nine tonight!
A tiny bump, yet steady we go,
Newer versions help our wallet grow! 🚀

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description lacks required sections from the template: Issue Number, Type of change selection, How the change has been tested, and Change checklist completion are all missing or incomplete.	Fill in all required template sections: add an Issue Number, select the Type of change (likely 'Update' or 'Chore'), provide testing details, and complete the Change checklist items.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: updating the rand_core dependency from 0.6 to 0.9.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/rand_core-0.x

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@infrastructure/eid-wallet/src-tauri/Cargo.toml`:
- Line 32: rand_core 0.9 conflicts with argon2 → password-hash which requires
rand_core 0.6.4, causing duplicate trait versions; resolve by picking one
remediation: either (A) downgrade the explicit dependency "rand_core" in
Cargo.toml from 0.9 to 0.6.4 so a single rand_core version is used, then run
cargo update and replace any uses of password_hash::rand_core::OsRng with
rand_core::OsRng if necessary; or (B) upgrade argon2 to a release that depends
on rand_core 0.9 (if available), update Cargo.toml to that argon2 version and
run cargo update to unify versions; ensure after the change there is only one
rand_core entry in Cargo.lock and remove any cross-version OsRng usage.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b672b59 and 8ebf880.

📒 Files selected for processing (1)

• infrastructure/eid-wallet/src-tauri/Cargo.toml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n infrastructure/eid-wallet/src-tauri/Cargo.toml | head -50

Repository: MetaState-Prototype-Project/prototype

Length of output: 1542

---

🌐 Web query:

rand_core 0.9 breaking changes API RngCore CryptoRng TryRngCore migration

💡 Result:

rand_core 0.9 (released 2025-01-27) breaking changes & migration notes

1) Fallible RNGs: move try_* methods to the new TryRngCore

• TryRngCore was added to represent RNGs that can fail (with an associated Error). RngCore now represents infallible RNGs only. For infallible RNGs, TryRngCore is intended to use Error = Infallible. [2]
• Migration:
  • If your RNG can error: implement TryRngCore (try_next_u32, try_next_u64, try_fill_bytes). [2]
  • If your RNG can’t error: implement RngCore as before and treat fallibility as Infallible when needed. [2]

2) Crypto marker traits: CryptoRngCore replaced by CryptoRng: RngCore; add TryCryptoRng

• CryptoRng is now a sub-trait of RngCore (replacing CryptoRngCore). For fallible crypto RNGs, use TryCryptoRng (over TryRngCore). [1], [2]

3) SeedableRng constructor renames (common compile break)

• SeedableRng::from_rng → try_from_rng, and a new infallible from_rng variant was added. [1]
• SeedableRng::from_entropy → from_os_rng, plus try_from_os_rng. [1]
• SeedableRng::Seed got extra bounds: Clone and AsRef<[u8]>. [1], [2]

4) Feature / dependency renames that often break Cargo.toml

• Feature serde1 → serde; feature getrandom → os_rng. [1]
• MSRV bumped to Rust 1.63; getrandom updated to 0.3.0. [1]

If you share a small snippet of what fails (e.g., your trait bounds / impls), I can translate it to the exact 0.9-style bounds and trait impls.

---

🌐 Web query:

getrandom 0.3 breaking changes WASM

💡 Result:

getrandom 0.3.0 (released 2025-01-25) changed WASM support in a few breaking ways:

• wasm32-wasi target removed: switch to wasm32-wasip1 or wasm32-wasip2 instead. [1]
• Old WASM-related Cargo features were removed: the crate removed the js feature (and also custom, etc.) in favor of configuration flags. [1]
• New opt-in WASM backend selection model:
  • Enable the backend via the wasm_js Cargo feature. [1][2]
  • Then select it with the cfg flag getrandom_backend="wasm_js" (the feature alone doesn’t select it). [1][2]

Example (for wasm32-unknown-unknown):

# Cargo.toml
getrandom = { version = "0.3", features = ["wasm_js"] }

# .cargo/config.toml
[target.wasm32-unknown-unknown]
rustflags = ['--cfg', 'getrandom_backend="wasm_js"']

Also in 0.3.0, the wasm_js backend dropped a special Node.js codepath, which bumps the minimum supported Node.js to v19. [1]

Sources: [1] [2]

---

🌐 Web query:

rand_core 0.9 MSRV minimum supported rust version

💡 Result:

rand_core 0.9.x sets rust-version = "1.63" in its published Cargo.toml, so the MSRV is Rust 1.63 (i.e., rustc >= 1.63). [1]

Sources: [1] (docs.rs)

Citations:

• 1: https://docs.rs/crate/rand_core/0.9.0/source/Cargo.toml.orig

---

🏁 Script executed:

cd infrastructure/eid-wallet/src-tauri && rg "RngCore|CryptoRng|TryRngCore|SeedableRng|OsRng" --type rust

Repository: MetaState-Prototype-Project/prototype

Length of output: 262

---

🏁 Script executed:

cd infrastructure/eid-wallet/src-tauri && grep -E "^getrandom|rand_core" Cargo.lock | head -20

Repository: MetaState-Prototype-Project/prototype

Length of output: 337

---

🏁 Script executed:

find infrastructure/eid-wallet/src-tauri -name "Cargo.lock" -o -name "*.toml" | xargs grep getrandom

Repository: MetaState-Prototype-Project/prototype

Length of output: 886

---

🌐 Web query:

argon2 0.5.3 rand_core 0.9 compatibility

💡 Result:

argon2 0.5.3 is not compatible with rand_core 0.9 (and thus not directly compatible with rand 0.9’s RNG types) because it pulls in password-hash 0.5, which in turn uses rand_core 0.6.4. That creates a different CryptoRng*/RngCore trait version than rand_core 0.9, so types like rand::rngs::OsRng (rand 0.9) won’t satisfy the traits expected by password-hash/argon2. [1][2][3]

What to do:

• For argon2 0.5.3, use the OsRng re-exported by password-hash (i.e., argon2::password_hash::rand_core::OsRng) so you’re using rand_core 0.6.4 end-to-end. [1][4]
• If you must standardize on rand_core/rand 0.9 across your project, you’ll need a newer argon2/password-hash release line that also depends on rand_core 0.9 (otherwise you can’t avoid the duplicated rand_core versions). [2][3]

Sources

1. argon2 0.5.3 Cargo.toml (features + password-hash dep) — https://docs.rs/crate/argon2/0.5.3/source/Cargo.toml.orig [1]
2. argon2 0.5.3 Cargo.lock showing password-hash 0.5.0 -> rand_core 0.6.4 — https://docs.rs/crate/argon2/latest/source/Cargo.lock [2]
3. Rand 0.9 migration guide (rand/rand_core 0.9 line) — https://rust-random.github.io/book/update-0.9.html [3]
4. Discussion of the “multiple versions of rand_core” / OsRng mismatch with argon2 0.5.3 — https://stackoverflow.com/questions/79473286/ [4]

---

🏁 Script executed:

cd infrastructure/eid-wallet/src-tauri && head -30 src/funcs/mod.rs | grep -A 5 "password_hash\|OsRng"

Repository: MetaState-Prototype-Project/prototype

Length of output: 459

---

rand_core 0.9 is incompatible with argon2 0.5.3 and creates duplicate trait versions in the build.

The project specifies rand_core = "0.9" (line 32), but argon2 0.5.3 depends on password-hash 0.5, which in turn requires rand_core 0.6.4. This causes both versions to coexist in Cargo.lock (rand_core 0.6.4 and 0.9.3), creating separate trait hierarchies that cannot interoperate.

The code currently works around this by using password_hash::rand_core::OsRng (the 0.6.4 version), which bypasses the specified 0.9 dependency. However, this approach masks the underlying version conflict.

Options to resolve:

1. Downgrade rand_core to 0.6.4 if rand_core 0.9 is not required by other dependencies.
2. Upgrade argon2 to a version compatible with rand_core 0.9 (requires investigation into available releases).
3. Justify the 0.9 dependency if it serves other parts of the codebase; if so, migrate to a compatible password-hashing solution.

Without resolution, the build carries unnecessary trait duplication and the actual rand_core version in use differs from what's declared in Cargo.toml.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@infrastructure/eid-wallet/src-tauri/Cargo.toml` at line 32, rand_core 0.9
conflicts with argon2 → password-hash which requires rand_core 0.6.4, causing
duplicate trait versions; resolve by picking one remediation: either (A)
downgrade the explicit dependency "rand_core" in Cargo.toml from 0.9 to 0.6.4 so
a single rand_core version is used, then run cargo update and replace any uses
of password_hash::rand_core::OsRng with rand_core::OsRng if necessary; or (B)
upgrade argon2 to a release that depends on rand_core 0.9 (if available), update
Cargo.toml to that argon2 version and run cargo update to unify versions; ensure
after the change there is only one rand_core entry in Cargo.lock and remove any
cross-version OsRng usage.

[ham-renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (0.9). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.