Bump base64-ng from 1.0.5 to 1.0.6

[dependabot]

Bumps base64-ng from 1.0.5 to 1.0.6.

Release notes

Sourced from base64-ng's releases.

base64-ng 1.0.6

base64-ng v1.0.6

Highlights

• Added alloc-gated convenience APIs:

  • base64_ng::encode
  • base64_ng::decode

• Added new constant-time-oriented owned decode helpers:

  • ct::CtEngine::decode_vec
  • ct::CtEngine::decode_secret
  • ct::CtEngine::decode_secret_staged

• Added public base64_ng::constant_time_eq for explicit best-effort, public-length byte comparison.

Security and Hardening

• Added stack-staged owned secret decode for shared-memory, enclave-adjacent, HSM-style, and multi-principal deployments.
• Made stream decoder over-reporting fail closed, matching stream encoder behavior.
• Restored wipe_tail invariant checks so invalid internal offsets fail closed.
• Strengthened documentation around transient plaintext windows in CT owned decode APIs.
• Clarified that constant_time_eq is best-effort and not a formally verified MAC/password/token comparison primitive.
• Removed redundant double-wiping in the CT owned decode path.

Documentation

• Updated README examples for convenience encode/decode and CT secret decode.
• Added guidance for staged secret decode.
• Updated changelog, roadmap, migration docs, SIMD docs, and package metadata to 1.0.6.
• Kept serde deferred as a future optional integration candidate instead of adding a dependency.

Validation

• Added tests for staged CT secret decode.
• Added tests for stream decoder fail-closed behavior.
• Release checks and GitHub CI are green.

Changelog

Sourced from base64-ng's changelog.

1.0.6 - 2026-05-31

• Added alloc-gated top-level base64_ng::encode and base64_ng::decode convenience wrappers for strict standard padded Base64 migration use cases.
• Added alloc-gated ct::CtEngine::decode_vec and decode_secret helpers so sensitive payload callers have an owned constant-time-oriented decode path that clears failed allocations and can return a redacted SecretBuffer.
• Added public base64_ng::constant_time_eq for explicit public-length best-effort equal-length scans, while keeping docs clear that it is not a formally verified MAC/password/token comparison primitive.
• Expanded README and crate-level cookbook examples for CT owned secret decode and comparison ergonomics.
• Strengthened idiomatic TryFrom/FromStr documentation for decoded and secret buffers so callers know those conversions always use strict standard Base64 and should use explicit engines or profiles for other alphabets.
• Kept serde deferred as a future optional integration candidate instead of adding an external dependency to the 1.0.x line.

Commits

• 6cac1b5 Address 1.0.6 pentest follow-ups
• 45ef8b6 Prepare 1.0.6 secure ergonomics
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)