From 6ec1b45571d9dc7cbda008b2d116bc762c60420c Mon Sep 17 00:00:00 2001
From: Harold Sun <sunhua@amazon.com>
Date: Wed, 27 May 2026 20:00:17 +0000
Subject: [PATCH] fix: update rand and rustls-webpki to resolve 4 security
 advisories

The nightly security audit reported the following advisories against
transitive dependencies pinned in Cargo.lock:

- RUSTSEC-2026-0098 (rustls-webpki 0.103.10): URI name constraints
  were ignored and therefore accepted. Not reachable from this crate
  (no URI name assertions), but bumping to 0.103.13 brings in the fix.
- RUSTSEC-2026-0099 (rustls-webpki 0.103.10): DNS wildcard names were
  accepted under permitted-subtree name constraints. Reachable only
  after misissuance.
- RUSTSEC-2026-0104 (rustls-webpki 0.103.10): reachable panic when
  parsing a CRL with an empty BIT STRING in onlySomeReasons. Not
  reachable unless the application parses CRLs.
- RUSTSEC-2026-0097 (rand 0.8.5, informational/unsound): unsound when
  a custom log logger calls rand::rng() reentrantly during reseeding.
  Not reachable from this crate's usage of rand via tokio-retry.

All four are transitive: rustls-webpki comes in via hyper-rustls
(dev-dep) and rand via tokio-retry. Both bumps are within the same
SemVer minor (0.103.10 -> 0.103.13, 0.8.5 -> 0.8.6) so no API churn.

Lockfile-only change. cargo build --tests and cargo test --lib pass.
---
 Cargo.lock | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 95755783..18470ced 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1597,9 +1597,9 @@ checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
 
 [[package]]
 name = "rand"
-version = "0.8.5"
+version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+checksum = "5ca0ecfa931c29007047d1bc58e623ab12e5590e8c7cc53200d5202b69266d8a"
 dependencies = [
  "libc",
  "rand_chacha",
@@ -1726,9 +1726,9 @@ dependencies = [
 
 [[package]]
 name = "rustls-webpki"
-version = "0.103.10"
+version = "0.103.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef"
+checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e"
 dependencies = [
  "aws-lc-rs",
  "ring",