Bump base64-ng from 1.0.5 to 1.0.8

[dependabot]

Bumps base64-ng from 1.0.5 to 1.0.8.

Release notes

Sourced from base64-ng's releases.

base64-ng 1.0.8

Highlights

• Makes stream decoder internal queue-overflow paths fail closed like the encoder.
• Adds DecodeErrorKind and DecodeError::kind() for redacted strict-error logging.
• Splits AArch64 CSDB attestation into a distinct runtime posture: hardware-speculation-barrier-build-asserted.
• Hardens CI toolchain bootstrap by requiring runner-provided rustup and cargo instead of downloading sh.rustup.rs.
• Updates fuzz, dudect, and performance harness metadata to 1.0.8.
• Expands security docs for strict decode error logging, input-size caps, AArch64 attestation, and CI bootstrap posture.

Notes

base64-ng remains scalar-only in 1.0.8. No runtime dependencies were added.

base64-ng 1.0.7

Highlights

• Enables the current bounded Kani proof gate on Rust 1.90.0 with cargo-kani 0.67.0.
• Confirms 17 no-default-features Kani harnesses pass with 0 failures.
• Strengthens constant-time-oriented byte accumulation through a non-inlined volatile helper.
• Documents the new CT accumulator in the reviewed unsafe-boundary inventory.
• Adds AArch64 CSDB attestation posture reporting through explicit --cfg base64_ng_aarch64_csdb_attested.
• Keeps AArch64 attestation out of Cargo features, so --all-features cannot enable it accidentally.
• Adds runtime memory-locking posture reporting for deployment audits.
• Improves macOS CI verification by routing macOS runners through the dedicated macOS check script.
• Expands documentation around Kani scope, CT posture, AArch64 attestation, and streaming decoder partial-output semantics.

Notes

base64-ng remains scalar-only in 1.0.7. The Kani evidence is scoped bounded proof coverage, not whole-crate formal verification or a formal cryptographic constant-time claim.

base64-ng 1.0.6

base64-ng v1.0.6

Highlights

• Added alloc-gated convenience APIs:

  • base64_ng::encode
  • base64_ng::decode

• Added new constant-time-oriented owned decode helpers:

  • ct::CtEngine::decode_vec
  • ct::CtEngine::decode_secret
  • ct::CtEngine::decode_secret_staged

• Added public base64_ng::constant_time_eq for explicit best-effort, public-length byte comparison.

Security and Hardening

... (truncated)

Changelog

Sourced from base64-ng's changelog.

1.0.8 - 2026-06-09

• Made stream decoder queue-overflow paths latch their failed state, matching the encoder fail-closed behavior for unreachable internal queue capacity errors.
• Added DecodeErrorKind and DecodeError::kind() so applications can log strict decode error classes without logging input-derived bytes or indexes.
• Split AArch64 CSDB attestation reporting into a distinct hardware-speculation-barrier-build-asserted posture so audit logs preserve the operator-attestation boundary.
• Hardened CI toolchain bootstrap by requiring runner-provided rustup and cargo instead of downloading and executing sh.rustup.rs during CI.
• Updated fuzz, dudect, and performance harness path dependency metadata to 1.0.8.

1.0.7 - 2026-06-07

• Enabled the current full no-default-features Kani harness set on the pinned Rust 1.90.0 toolchain with cargo-kani 0.67.0.
• Raised Kani harness unwind bounds for the fixed 64-step constant-time-oriented alphabet scanner and slice loops.
• Gated inline assembly cleanup and constant-time result barriers out of Kani runs so the verifier models the compiler-fence fallback path instead of rejecting unreachable assembly.
• Updated Kani documentation and trust-dashboard wording to distinguish the now-clean bounded harness set from a whole-crate or cryptographic formal-verification claim.
• Strengthened constant-time-oriented byte accumulation through a non-inlined volatile helper, added AArch64 CSDB attestation posture reporting through an explicit custom cfg, exposed a programmatic memory-locking posture method, and documented streaming decoder partial-output semantics more prominently.
• Updated unsafe-boundary validation and unsafe-site documentation for the reviewed constant-time accumulator helper.

1.0.6 - 2026-05-31

• Added alloc-gated top-level base64_ng::encode and base64_ng::decode convenience wrappers for strict standard padded Base64 migration use cases.
• Added alloc-gated ct::CtEngine::decode_vec and decode_secret helpers so sensitive payload callers have an owned constant-time-oriented decode path that clears failed allocations and can return a redacted SecretBuffer.
• Added public base64_ng::constant_time_eq for explicit public-length best-effort equal-length scans, while keeping docs clear that it is not a formally verified MAC/password/token comparison primitive.
• Expanded README and crate-level cookbook examples for CT owned secret decode and comparison ergonomics.
• Strengthened idiomatic TryFrom/FromStr documentation for decoded and secret buffers so callers know those conversions always use strict standard Base64 and should use explicit engines or profiles for other alphabets.
• Addressed 1.0.6 audit follow-up by making stream decoder over-reporting

... (truncated)

Commits

• 6d2f4fa Prepare 1.0.8 release candidate
• 3be876d Harden audit logging and stream fail-closed paths
• a2b0b20 Route macOS CI through verification script
• 880340f Keep AArch64 attestation out of all-features
• 0ef3e91 Update unsafe boundary for CT accumulator
• 803b951 Prepare 1.0.7 release candidate
• d942683 Harden CT posture reporting and docs
• 98fbee2 Enable Kani proof gate on Rust 1.90
• 6cac1b5 Address 1.0.6 pentest follow-ups
• 45ef8b6 Prepare 1.0.6 secure ergonomics
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)