Fix RUSTSEC-2026-0097 (#2331)

## Which issue does this PR close?


- Closes #2327 #2328 #2329

## What changes are included in this PR?

Upgrade rnd version, use recommended api.

## Are these changes tested?

ut.

Author: blackmwk

.cargo/audit.toml

@@ -33,4 +33,9 @@ ignore = [
   #
   # Introduced by object_store, see https://github.com/apache/arrow-rs-object-store/issues/564
   "RUSTSEC-2025-0134",
+  # `rand` unsoundness with custom logger using `rand::rng()`
+  #
+  # Direct dependency upgraded to 0.9.3+. Transitive rand 0.8.5 remains
+  # from reqsign/sqllogictest/rustc-hash — no 0.8.x patch exists.
+  "RUSTSEC-2026-0097",
 ]

Cargo.lock

@@ -108,7 +108,7 @@ ordered-float = "4"
 parquet = "58"
 pilota = "0.11.10"
 pretty_assertions = "1.4"
-rand = "0.8.5"
+rand = "0.9.3"
 regex = "1.11.3"
 reqwest = { version = "0.12.12", default-features = false, features = ["json"] }
 roaring = { version = "0.11" }

Cargo.toml

@@ -793,7 +793,7 @@ mod tests {
     };
     use parquet::file::metadata::{PageIndexPolicy, ParquetMetaData};
     use parquet::file::properties::WriterProperties;
-    use rand::{Rng, thread_rng};
+    use rand::Rng;
     use tempfile::NamedTempFile;
 
     use super::PageIndexEvaluator;
@@ -1284,13 +1284,13 @@ mod tests {
 
     #[test]
     fn eval_in_length_of_set_above_limit_all_rows() -> Result<()> {
-        let mut rng = thread_rng();
+        let mut rng = rand::rng();
         let (metadata, _temp_file) = create_test_parquet_file()?;
         let (column_index, offset_index, row_group_metadata) = get_test_metadata(&metadata);
         let (iceberg_schema_ref, field_id_map) = build_iceberg_schema_and_field_map()?;
 
         let filter = Reference::new("col_float")
-            .is_in(std::iter::repeat_with(|| Datum::float(rng.gen_range(0.0..10.0))).take(1000))
+            .is_in(std::iter::repeat_with(|| Datum::float(rng.random_range(0.0..10.0))).take(1000))
             .bind(iceberg_schema_ref.clone(), false)?;
 
         let result = PageIndexEvaluator::eval(

crates/iceberg/src/expr/visitors/page_index_evaluator.rs

@@ -528,7 +528,7 @@ mod tests {
     use parquet::schema::types::{
         ColumnDescriptor, ColumnPath, SchemaDescriptor, Type as parquetSchemaType,
     };
-    use rand::{Rng, thread_rng};
+    use rand::Rng;
 
     use super::RowGroupMetricsEvaluator;
     use crate::Result;
@@ -1617,7 +1617,7 @@ mod tests {
 
     #[test]
     fn eval_true_for_too_many_literals_filter_is_in() -> Result<()> {
-        let mut rng = thread_rng();
+        let mut rng = rand::rng();
 
         let row_group_metadata = create_row_group_metadata(
             1,
@@ -1636,7 +1636,7 @@ mod tests {
         let (iceberg_schema_ref, field_id_map) = build_iceberg_schema_and_field_map()?;
 
         let filter = Reference::new("col_float")
-            .is_in(std::iter::repeat_with(|| Datum::float(rng.gen_range(0.0..10.0))).take(1000))
+            .is_in(std::iter::repeat_with(|| Datum::float(rng.random_range(0.0..10.0))).take(1000))
             .bind(iceberg_schema_ref.clone(), false)?;
 
         let result = RowGroupMetricsEvaluator::eval(

crates/iceberg/src/expr/visitors/row_group_metrics_evaluator.rs

@@ -399,7 +399,7 @@ mod tests {
             "Kelly", "Larry", "Mallory", "Shawn",
         ];
 
-        let mut rng = rand::thread_rng();
+        let mut rng = rand::rng();
         let batch_num = 10;
         let batch_rows = 100;
         let expected_rows = batch_num * batch_rows;