chore: ignore RUSTSEC-2026-0037 and upgrade/consolidate dependencies (#419)

* fix: resolve compilation errors from rand 0.9 -> 0.10 upgrade

In rand 0.10, `RngCore` was removed from the root and `fill_bytes` moved
to the `Rng` trait, while `random_range` moved to the `RngExt` trait.
Revert sec1 to 0.7.3 since 0.8.0 requires der 0.8 which is incompatible
with the current pkcs8 0.10 / elliptic-curve 0.13 generation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: centralize all dependency versions in workspace Cargo.toml

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore: inline reqwest/schemars workspace deps and upgrade nix to 0.31.2

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore: add taplo.toml for consistent TOML formatting

Configures taplo to keep arrays and inline tables on single lines.
The VSCode "Even Better TOML" extension will automatically use this config.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: ignore RUSTSEC-2026-0037 (quinn-proto DoS)

The quinn-proto vulnerability is only reachable via reqwest's `http3`
feature, which is not enabled in this project.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* ci: add TOML formatting check using taplo

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* ci: fix taplo download URL and gunzip flags

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: remove taplo.toml and reformat TOML files with default settings

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: lwshang

.cargo/audit.toml

@@ -2,6 +2,7 @@
 ignore = [
   "RUSTSEC-2025-0140", # gix-date UTF-8 contract issue dependency of cargo-generate
   "RUSTSEC-2026-0001", # rkyv undefined behavior on OOM dependency of byte-unit
+  "RUSTSEC-2026-0037", # quinn-proto DoS - transitive via reqwest/ic-agent, quinn feature not used
 
   # Unmaintained crates (transitive dependencies)
   "RUSTSEC-2021-0127", # serde_cbor - dependency of ic-agent/ic-transport-types

.github/workflows/checks.yml

@@ -78,6 +78,23 @@ jobs:
       - name: Check formatting
         run: cargo fmt --all -- --check
 
+  toml-format:
+    name: toml-fmt:required
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+
+      - name: Install taplo
+        run: |
+          curl -fsSL https://github.com/tamasfe/taplo/releases/latest/download/taplo-linux-x86_64.gz \
+            | gunzip -c > taplo
+          chmod +x taplo
+          sudo mv taplo /usr/local/bin/taplo
+
+      - name: Check TOML formatting
+        run: taplo fmt --check
+
   #
   # Runs a series of checks to make sure that all the docs
   # that need to be generated have been genrated an are up