chore: bump rand to 0.10.0

[jjl9807]

No description provided.

[github-actions]

Claude finished @jjl9807's task in 3m 8s —— View job

---

Code Review: chore: bump rand to 0.10.0

• Gather context and understand the PR
• Review Cargo.toml and Cargo.lock changes
• Review source code changes (src/zstdelta/mod.rs)
• Review BUCK file changes
• Review new crate additions
• Provide final review summary

---

Summary

This PR bumps rand from 0.9.2 to 0.10.0 and updates related dependencies. The approach is generally correct and mechanically sound, but there are a few concerns worth addressing.

---

Issues Found

1. Unnecessary Direct chacha20 Dependency (Minor)

Cargo.toml — chacha20 = "0.10.0" is added as a dev-dependency, and src/zstdelta/mod.rs:149 uses chacha20::ChaCha20Rng directly.

Since rand 0.10.0 exposes ChaCha20Rng via rand::rngs::ChaCha20Rng (when std_rng feature is enabled, which is already enabled in the BUCK file for rand), this direct chacha20 dependency is coupling test code to an internal implementation detail of rand. If rand changes its ChaCha backend, the test would break even though the public rand API is stable.

Recommendation: Use rand::rngs::ChaCha20Rng and drop the explicit chacha20 dev-dependency:

// src/zstdelta/mod.rs
// Before:
use chacha20::ChaCha20Rng;
use rand::{Rng, SeedableRng};

// After:
use rand::{SeedableRng, rngs::ChaCha20Rng};

And in Cargo.toml, remove chacha20 = "0.10.0" from [dev-dependencies].

Fix this →

2. Potentially Over-broad rand Features in BUCK (third-party/rust/crates/rand/0.10.0/BUCK)

The BUCK file for rand 0.10.0 enables:

features = ["alloc", "default", "std", "std_rng", "sys_rng", "thread_rng"]

thread_rng pulls in a thread-local RNG with OnceLock initialization. For a library that doesn't use thread_rng() directly, this adds unnecessary overhead. Unless there's a downstream dependency that needs it, consider dropping thread_rng.

default is also redundant when std and std_rng are listed explicitly (since default in rand just enables std+std_rng+sys_rng).

3. Unused Rng Import (src/zstdelta/mod.rs:151)

use rand::{Rng, SeedableRng};

The Rng trait is imported but only fill_bytes (from RngCore) and from_seed (from SeedableRng) are called in the test. If the intent is to call fill_bytes, the correct import is rand::RngCore, not rand::Rng. This may be masking an implicit method resolution.

Note: This compiles because ChaCha20Rng's fill_bytes implementation can be resolved on the concrete type. But for clarity and correctness, replace Rng with RngCore:

use rand::{RngCore, SeedableRng};
// (or just `SeedableRng` if using rand::rngs::ChaCha20Rng which already implements fill_bytes)

---

Positive Observations

• Clean removal of rand_chacha 0.9.0 and rand_core 0.9.3 BUCK files — no orphaned build artifacts left behind.
• getrandom feature update (adding std) is correct for rand 0.10's feature requirements.
• futures bump from 0.3.31 → 0.3.32 is handled cleanly with proper BUCK directory renames.
• slab cleanup: removing the redundant default feature (since std is the actual needed feature) is a nice improvement.
• Lock file properly removes getrandom 0.3.4 (rand 0.9's transitive dep) and rand_core 0.9.3, keeping the dependency tree clean.
• New RustCrypto BUCK files (chacha20, cipher, cpufeatures, crypto-common, block-buffer, hybrid-array, inout) are all properly generated and consistent in style.

---

Overall Assessment

The upgrade is mechanically correct and the lock file changes are consistent. The main suggestions are:

1. Prefer rand::rngs::ChaCha20Rng over the direct chacha20 crate to avoid coupling to implementation internals
2. Clean up the Rng → RngCore import for correctness/clarity
3. Consider trimming the thread_rng feature from the BUCK file if it's not needed

[Copilot]

Pull request overview

This PR upgrades the rand crate from version 0.9.2 to 0.10.0 and the futures crate family from 0.3.31 to 0.3.32. The upgrade removes the older rand_chacha dependency and introduces chacha20 0.10.0 along with several supporting cryptographic crates. However, there is a critical issue with the source code migration that will prevent the code from compiling.

Changes:

• Upgrades rand from 0.9.2 to 0.10.0, replacing rand_chacha with chacha20
• Upgrades futures ecosystem from 0.3.31 to 0.3.32 across all crates
• Removes pin-utils dependency from futures-util
• Adds new cryptographic dependencies: chacha20, cipher, block-buffer, hybrid-array, inout, crypto-common, and cpufeatures 0.3.0

Reviewed changes

Copilot reviewed 43 out of 44 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
src/zstdelta/mod.rs	Updates test code to use chacha20::ChaCha20Rng instead of rand_chacha::ChaChaRng (CRITICAL BUG: this type doesn't exist)
Cargo.toml	Updates rand to 0.10.0, replaces rand_chacha with chacha20 in dev-dependencies, updates futures to 0.3.32
Cargo.lock	Reflects all dependency version changes and additions/removals
BUCK	Updates futures dependency paths to 0.3.32 versions
buckal.snap	Updates fingerprints for all changed dependencies
third-party/rust/crates/*/BUCK	Updates Buck build definitions for futures 0.3.32, rand 0.10.0, removes old rand/rand_chacha/rand_core versions, adds new crypto crates

Comments suppressed due to low confidence (1)

Cargo.toml:66

• The PR title "chore: bump rand to 0.10.0" doesn't fully capture the scope of changes. This PR also upgrades the futures crate family from 0.3.31 to 0.3.32, removes rand 0.9.2/rand_chacha 0.9.0/rand_core 0.9.3, and adds several new dependencies (chacha20, cipher, block-buffer, hybrid-array, inout, crypto-common, cpufeatures). Consider updating the PR title to reflect the broader dependency updates, such as "chore: bump rand to 0.10.0 and futures to 0.3.32".

rand = "0.10.0"
chacha20 = "0.10.0"

[Copilot]

The chacha20 crate (version 0.10.0) is a cryptographic cipher library, not an RNG library. The type ChaCha20Rng does not exist in the chacha20 crate.

For rand 0.10.0, the correct import should be either:

• use rand::rngs::ChaCha20Rng; if rand 0.10.0 re-exports it, or
• Keep using rand_chacha crate (with an updated version compatible with rand 0.10.0)

The chacha20 crate provides the ChaCha20 stream cipher for encryption/decryption, not random number generation. This will cause a compilation error.

Suggested change

	use chacha20::ChaCha20Rng;
	use rand_chacha::ChaCha20Rng;