chore: fix deny checks

[LesnyRumcajs]

Fixes recent cargo deny check warnings.

• updated rand
• added proc-macro-error2 to ignores for now, nothing we can do; it's a transitive dependency via alloy-core, see proc-macro-error2 is unmaintained alloy-rs/core#1120

❯ cargo deny check advisories
error[unmaintained]: proc-macro-error2 is unmaintained
    ┌─ /home/rumcajs/prj/builtin-actors/Cargo.lock:169:1
    │
169 │ proc-macro-error2 2.0.1 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unmaintained advisory detected
    │
    ├ ID: RUSTSEC-2026-0173
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0173
    ├ The author of `proc-macro-error2` has [confirmed](https://github.com/GnomedDev/proc-macro-error-2/issues/17#issuecomment-4643215473) that the crate is no longer maintained and recommends that users migrate away from it.

      `proc-macro-error2` was originally created as a maintained fork of [`proc-macro-error`](https://crates.io/crates/proc-macro-error) (see [RUSTSEC-2024-0370](https://rustsec.org/advisories/RUSTSEC-2024-0370)). Both the original crate and this fork are now unmaintained.

      ## Possible Alternative(s)

      - [manyhow](https://crates.io/crates/manyhow)
      - [proc-macro2-diagnostics](https://github.com/SergioBenitez/proc-macro2-diagnostics)
    ├ Announcement: https://github.com/GnomedDev/proc-macro-error-2/issues/17
    ├ Solution: No safe upgrade is available!
    ├ proc-macro-error2 v2.0.1
      ├── alloy-sol-macro v1.6.0
      │   └── alloy-sol-types v1.6.0
      │       └── alloy-core v1.6.0
      │           └── (dev) fil_actor_evm v18.0.0
      │               ├── (dev) fil_actor_eam v18.0.0
      │               │   └── fil_builtin_actors_bundle v18.0.0
      │               └── fil_builtin_actors_bundle v18.0.0 (*)
      └── alloy-sol-macro-expander v1.6.0
          └── alloy-sol-macro v1.6.0 (*)

error[unsound]: Rand is unsound with a custom logger using `rand::rng()`
    ┌─ /home/rumcajs/prj/builtin-actors/Cargo.lock:173:1
    │
173 │ rand 0.8.5 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unsound advisory detected
    │
    ├ ID: RUSTSEC-2026-0097
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0097
    ├ It has been reported (by @lopopolo) that the `rand` library is [unsound](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#soundness-of-code--of-a-library) (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:

      - The `log` and `thread_rng` features are enabled
      - A [custom logger](https://docs.rs/log/latest/log/#implementing-a-logger) is defined
      - The custom logger accesses `rand::rng()` (previously `rand::thread_rng()`) and calls any `TryRng` (previously `RngCore`) methods on `ThreadRng`
      - The `ThreadRng` (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
      - Trace-level logging is enabled or warn-level logging is enabled and the random source (the `getrandom` crate) is unable to provide a new seed

      `TryRng` (previously `RngCore`) methods for `ThreadRng` use `unsafe` code to cast `*mut BlockRng<ReseedingCore>` to `&mut BlockRng<ReseedingCore>`. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of [aliased mutable references is Undefined Behaviour](https://doc.rust-lang.org/stable/nomicon/references.html), the behaviour of optimized builds is hard to predict.
    ├ Announcement: https://github.com/rust-random/rand/pull/1763
    ├ Solution: Upgrade to >=0.10.1 OR <0.10.0, >=0.9.3 OR <0.9.0, >=0.8.6 (try `cargo update -p rand`)
    ├ rand v0.8.5
      ├── etk-asm v0.3.0
      │   └── (dev) fil_actor_evm v18.0.0
      │       ├── (dev) fil_actor_eam v18.0.0
      │       │   └── fil_builtin_actors_bundle v18.0.0
      │       └── fil_builtin_actors_bundle v18.0.0 (*)
      └── substrate-bn v0.6.0
          └── fil_actor_evm v18.0.0 (*)

[Copilot]

Pull request overview

This PR addresses recent cargo deny check advisory warnings by updating the lockfile to a patched rand version and documenting an unavoidable transitive unmaintained advisory via cargo-deny ignores.

Changes:

• Add an ignore entry for RUSTSEC-2026-0173 (proc-macro-error2 unmaintained) in deny.toml.
• Update rand in Cargo.lock from 0.8.5 to 0.8.6 to address the reported advisory.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
deny.toml	Adds an advisory ignore entry for an unmaintained transitive dependency.
Cargo.lock	Updates rand to 0.8.6 and propagates dependency/metadata changes accordingly.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.56%. Comparing base (fdf08b1) to head (5851038).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #1752   +/-   ##
=======================================
  Coverage   90.56%   90.56%           
=======================================
  Files         140      140           
  Lines       27814    27814           
=======================================
  Hits        25189    25189           
  Misses       2625     2625           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.