Skip to content

Commit f6e4eae

Browse files
josecelanojosecelano
committed
docs: [#443] document rand 0.8.5 risk assessment — no fix available in tera yet
1 parent 45ed490 commit f6e4eae

1 file changed

Lines changed: 15 additions & 17 deletions

File tree

docs/issues/443-rand-0.8.5-rustsec.md

Lines changed: 15 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -52,24 +52,22 @@ a version using `rand >= 0.9.3`.
5252

5353
## Steps
5454

55-
- [ ] Run `cargo audit` to confirm RUSTSEC-2026-0097 is still reported for rand 0.8.5
56-
- [ ] Run `cargo tree -i rand@0.8.5` to confirm `tera` is still the only consumer
57-
- [ ] Check whether `tera` has released a version with `rand >= 0.9.3`:
55+
- [x] Run `cargo audit` to confirm RUSTSEC-2026-0097 is still reported for rand 0.8.5
56+
- [x] Run `cargo tree -i rand@0.8.5` to confirm `tera` is still the only consumer
57+
- [x] Check whether `tera` has released a version with `rand >= 0.9.3`:
5858
<https://crates.io/crates/tera>
59-
- [ ] **If `tera` has not updated yet**:
60-
- Post a comment on #443 with the risk assessment above and the cargo tree output
61-
- Leave the issue open with a note to revisit on the next `tera` minor release
62-
- [ ] **If `tera` is updated**:
63-
- Bump `tera` in `Cargo.toml`, run `cargo update tera`
64-
- Run `cargo tree -p rand` to confirm `rand 0.8.5` is gone from `Cargo.lock`
65-
- Run `cargo audit` to confirm the advisory is cleared
66-
- Post a comment with the results and close #443
59+
- [x] **`tera` has not updated yet** — latest stable is `1.20.1` (released ~6 months
60+
ago). A `2.0.0-alpha.2` pre-release exists (~1 month ago) but is not production
61+
ready.
62+
- [x] Post a comment on #443 with the risk assessment and cargo tree output
63+
- Leave the issue open — revisit when `tera` releases a new stable version
6764

6865
## Outcome
6966

70-
<!-- Fill in after doing the work -->
71-
72-
- Date:
73-
- tera latest version:
74-
- Result:
75-
- Comment/PR:
67+
- Date: 2026-04-14
68+
- tera latest stable version: `1.20.1` (no fix available yet)
69+
- Result: **Cannot fix.** `rand 0.8.5` is pulled in solely by `tera 1.20.1`. No
70+
stable `tera` release uses `rand >= 0.9.3`. Practical risk is low — the
71+
unsoundness conditions are not met in this application (no custom logger calling
72+
back into rand). Risk assessment posted as comment on #443; issue left open.
73+
- Comment/PR: https://github.com/torrust/torrust-tracker-deployer/issues/443#issuecomment-4246102278

0 commit comments

Comments
 (0)