Skip to content

Bump base64-ng from 1.0.5 to 1.0.7#4

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/base64-ng-1.0.7
Open

Bump base64-ng from 1.0.5 to 1.0.7#4
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/base64-ng-1.0.7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 7, 2026

Copy link
Copy Markdown

Bumps base64-ng from 1.0.5 to 1.0.7.

Release notes

Sourced from base64-ng's releases.

base64-ng 1.0.7

Highlights

  • Enables the current bounded Kani proof gate on Rust 1.90.0 with cargo-kani 0.67.0.
  • Confirms 17 no-default-features Kani harnesses pass with 0 failures.
  • Strengthens constant-time-oriented byte accumulation through a non-inlined volatile helper.
  • Documents the new CT accumulator in the reviewed unsafe-boundary inventory.
  • Adds AArch64 CSDB attestation posture reporting through explicit --cfg base64_ng_aarch64_csdb_attested.
  • Keeps AArch64 attestation out of Cargo features, so --all-features cannot enable it accidentally.
  • Adds runtime memory-locking posture reporting for deployment audits.
  • Improves macOS CI verification by routing macOS runners through the dedicated macOS check script.
  • Expands documentation around Kani scope, CT posture, AArch64 attestation, and streaming decoder partial-output semantics.

Notes

base64-ng remains scalar-only in 1.0.7. The Kani evidence is scoped bounded proof coverage, not whole-crate formal verification or a formal cryptographic constant-time claim.

base64-ng 1.0.6

base64-ng v1.0.6

Highlights

  • Added alloc-gated convenience APIs:

    • base64_ng::encode
    • base64_ng::decode

  • Added new constant-time-oriented owned decode helpers:

    • ct::CtEngine::decode_vec
    • ct::CtEngine::decode_secret
    • ct::CtEngine::decode_secret_staged

  • Added public base64_ng::constant_time_eq for explicit best-effort, public-length byte comparison.

Security and Hardening

  • Added stack-staged owned secret decode for shared-memory, enclave-adjacent, HSM-style, and multi-principal deployments.
  • Made stream decoder over-reporting fail closed, matching stream encoder behavior.
  • Restored wipe_tail invariant checks so invalid internal offsets fail closed.
  • Strengthened documentation around transient plaintext windows in CT owned decode APIs.
  • Clarified that constant_time_eq is best-effort and not a formally verified MAC/password/token comparison primitive.
  • Removed redundant double-wiping in the CT owned decode path.

Documentation

  • Updated README examples for convenience encode/decode and CT secret decode.
  • Added guidance for staged secret decode.
  • Updated changelog, roadmap, migration docs, SIMD docs, and package metadata to 1.0.6.
  • Kept serde deferred as a future optional integration candidate instead of adding a dependency.

... (truncated)

Changelog

Sourced from base64-ng's changelog.

1.0.7 - 2026-06-07

  • Enabled the current full no-default-features Kani harness set on the pinned Rust 1.90.0 toolchain with cargo-kani 0.67.0.
  • Raised Kani harness unwind bounds for the fixed 64-step constant-time-oriented alphabet scanner and slice loops.
  • Gated inline assembly cleanup and constant-time result barriers out of Kani runs so the verifier models the compiler-fence fallback path instead of rejecting unreachable assembly.
  • Updated Kani documentation and trust-dashboard wording to distinguish the now-clean bounded harness set from a whole-crate or cryptographic formal-verification claim.
  • Strengthened constant-time-oriented byte accumulation through a non-inlined volatile helper, added AArch64 CSDB attestation posture reporting through an explicit custom cfg, exposed a programmatic memory-locking posture method, and documented streaming decoder partial-output semantics more prominently.
  • Updated unsafe-boundary validation and unsafe-site documentation for the reviewed constant-time accumulator helper.

1.0.6 - 2026-05-31

  • Added alloc-gated top-level base64_ng::encode and base64_ng::decode convenience wrappers for strict standard padded Base64 migration use cases.
  • Added alloc-gated ct::CtEngine::decode_vec and decode_secret helpers so sensitive payload callers have an owned constant-time-oriented decode path that clears failed allocations and can return a redacted SecretBuffer.
  • Added public base64_ng::constant_time_eq for explicit public-length best-effort equal-length scans, while keeping docs clear that it is not a formally verified MAC/password/token comparison primitive.
  • Expanded README and crate-level cookbook examples for CT owned secret decode and comparison ergonomics.
  • Strengthened idiomatic TryFrom/FromStr documentation for decoded and secret buffers so callers know those conversions always use strict standard Base64 and should use explicit engines or profiles for other alphabets.
  • Addressed 1.0.6 audit follow-up by making stream decoder over-reporting fail closed like the stream encoder, restoring wipe_tail invariant checks, documenting CT owned-decode transient plaintext behavior, and adding ct::CtEngine::decode_secret_staged for stack-staged owned secret decode.
  • Kept serde deferred as a future optional integration candidate instead of adding an external dependency to the 1.0.x line.
Commits
  • a2b0b20 Route macOS CI through verification script
  • 880340f Keep AArch64 attestation out of all-features
  • 0ef3e91 Update unsafe boundary for CT accumulator
  • 803b951 Prepare 1.0.7 release candidate
  • d942683 Harden CT posture reporting and docs
  • 98fbee2 Enable Kani proof gate on Rust 1.90
  • 6cac1b5 Address 1.0.6 pentest follow-ups
  • 45ef8b6 Prepare 1.0.6 secure ergonomics
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump base64-ng from 1.0.5 to 1.0.7
49b6e0d 
Bumps [base64-ng](https://github.com/valkyoth/base64-ng) from 1.0.5 to 1.0.7.
- [Release notes](https://github.com/valkyoth/base64-ng/releases)
- [Changelog](https://github.com/valkyoth/base64-ng/blob/main/CHANGELOG.md)
- [Commits](valkyoth/base64-ng@v1.0.5...v1.0.7)

---
updated-dependencies:
- dependency-name: base64-ng
  dependency-version: 1.0.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Jun 7, 2026
@dependabot dependabot Bot mentioned this pull request Jun 7, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants