deps(deps): bump the crypto-stack group across 1 directory with 6 updates

[dependabot]

Bumps the crypto-stack group with 6 updates in the / directory:

Package	From	To
blake3	1.8.3	1.8.5
aes	0.8.4	0.9.0
cipher	0.4.4	0.5.1
xts-mode	0.5.1	0.6.0
hmac	0.12.1	0.13.0
sha2	0.10.9	0.11.0

Updates blake3 from 1.8.3 to 1.8.5

Release notes

Sourced from blake3's releases.

1.8.5

version 1.8.5

Changes since 1.8.4:

• Forcibly disable LTO when compiling C intrinsics from the Rust build. This fixes a build break on Arch Linux ARM: BLAKE3-team/BLAKE3#550

1.8.4

version 1.8.4

Changes since 1.8.3:

• Updated the digest dependency from v0.10 to v0.11. THIS IS A POTENTIALLY BREAKING CHANGE for callers using the traits-preview Cargo feature. But this is not considered a breaking change for the blake3 crate itself; see the docs for traits-preview.
• Performance for WASM SIMD targets is improved by ~20% when the wasm32_simd feature is enabled. Contributed by @​lamb356.

Commits

• 93a431c version 1.8.5
• 299b1e2 fix LTO builds by disabling LTO
• 6a45fee add LTO builds to CI
• 15e83a5 c: Use correct SIMD flags when compiling with Clang-Cl (#549)
• 2e3727d cargo fmt everywhere
• b97a24f version 1.8.4
• 0ebe469 update to new rustcrypto trait releases
• d4b005a wasm32_simd: use i8x16_shuffle for rot8 and rot16
• 6eebbbd fix a struct size mismatch in tests
• fb1411e c: use SIZE_MAX instead of -1 for size_t sentinels, add <stdint.h>
• See full diff in compare view

Updates aes from 0.8.4 to 0.9.0

Commits

• 001e740 Adopt Trusted Publishing (#552)
• d908618 Release aes v0.9.0 (#539)
• b612904 aes: remove zeroize_works test (#551)
• 042fa86 Update Cargo.lock (#547)
• 7290b2b ci: use Dependabot to update Cargo.lock (#546)
• d1910c1 ci: bump actions/checkout to v6 (#545)
• 1120a51 Bump Clippy to 1.94 and fix clippy::manual_rotate (#544)
• d52b5b6 aes: remove weak key test entry from changelog (#543)
• 6531730 aes: replace aes_compact configuration flag with `aes_backend_soft="compact...
• f102c4f aes: consolidate backend configuration under aes_backend (#541)
• Additional commits viewable in compare view

Updates cipher from 0.4.4 to 0.5.1

Commits

• 3044082 crypto-common: remove BlockSizes trait (#2309)
• e42238d elliptic-curve: enable and fix workspace-level lints (#2308)
• f239f73 aead: remove lints from lib.rs (#2307)
• 7c11746 build(deps): bump the all-deps group across 1 directory with 8 updates (#2305)
• d92139e aead: enable and fix workspace-level lints (#2306)
• 593a0ea digest v0.11.0 (#2300)
• cb66cff elliptic-curve: bump crypto-bigint to v0.7.0-rc.27 (#2303)
• 0d0fdbe digest: use dep: for block-buffer and const-oid (#2302)
• c1a51d4 digest: replace subtle with ctutils (#2301)
• 5802c8f digest v0.11.0-rc.12 (#2299)
• Additional commits viewable in compare view

Updates xts-mode from 0.5.1 to 0.6.0

Changelog

Sourced from xts-mode's changelog.

[0.6.0] - 2026-05-05

Changed

• Breaking: Update cipher to 0.5.1 and aes examples / tests to 0.9.0.
• Breaking: The cipher block size is now enforced at the type level.
  • This also removes the possibility of methods panicking due to an incorrect block size.
• Breaking: Tweak inputs and examples now use hybrid_array::Array instead of the array primitive, following upstream.
• Increase MSRV to 1.85 and update to edition 2024.
• Improve and simplify core logic

Removed

• Breaking: Remove unused std feature.
• Remove byteorder dependency.
• Remove trait bounds from the Xts128 struct, applying them only to implementations.

Commits

• ce5a8ef Bump version and update CHANGELOG.md
• 338c6f6 Update top-level docs and README.md
• f628265 Simplify panic message
• 15c3673 Simplify galois_field_128_mul_le
• 6b2259d Simplify stealing logic
• 405a564 Remove trait bounds from Xts128 struct
• 7a68d8e Use hybrid-array instead of primitive array
• 1e4b5c4 Update to cipher 0.5 and aes to 0.9
• 880f316 Remove byteorder dependency
• 3d7838c Remove unused std feature
• Additional commits viewable in compare view

Updates hmac from 0.12.1 to 0.13.0

Commits

• 0236c8e hmac v0.13.0 (#263)
• b895e50 Migrate tests to the new blobby format (#264)
• 3d1440b Workspace-level lint configuration (#261)
• 11d4f36 hmac: use release versions of dev-dependencies (#260)
• c40b82b hmac: bump sha2 dev-dependency to v0.11 (#259)
• 1fa0781 Cut rc.5 prereleases (#258)
• a008265 hmac v0.13.0-rc.6 (#256)
• da485cd Use (Reset)MacTraits (#254)
• 2c51e3b hmac: derive Clone instead of relying on (Reset)MacTraits (#253)
• 669d805 Relax Clone bounds (#250)
• Additional commits viewable in compare view

Updates sha2 from 0.10.9 to 0.11.0

Commits

• ffe0939 Release sha2 0.11.0 (#806)
• 8991b65 Use the standard order of the [package] section fields (#807)
• 3d2bc57 sha2: refactor backends (#802)
• faa55fb sha3: bump keccak to v0.2 (#803)
• d3e6489 sha3 v0.11.0-rc.9 (#801)
• bbf6f51 sha2: tweak backend docs (#800)
• 155dbbf sha3: add default value for the DS generic parameter on TurboShake128/256...
• ed514f2 Use published version of keccak v0.2 (#799)
• 702bcd8 Migrate to closure-based keccak (#796)
• 827c043 sha3 v0.11.0-rc.8 (#794)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[augmentcode]

🤖 Augment PR Summary

Summary: This PR updates the workspace’s Tier-0 cryptography dependency set (“crypto-stack” Dependabot group).

Changes:

• Bumped blake3 from 1.8.3 to 1.8.5 (patch release).
• Bumped aes from 0.8.4 to 0.9.0 (breaking semver change for 0.x).
• Bumped cipher from 0.4.4 to 0.5.1 (breaking semver change for 0.x).
• Bumped xts-mode from 0.5.1 to 0.6.0 (breaking semver change for 0.x; ties to XTS usage).
• Bumped hmac from 0.12.1 to 0.13.0 (breaking semver change for 0.x).
• Bumped sha2 from 0.10.9 to 0.11.0 (breaking semver change for 0.x).

Technical Notes: These are pinned exact versions under [workspace.dependencies] and affect Phase 3 encryption primitives (XTS/AES/HMAC/SHA2) used by crates/encryption.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

aes/cipher/xts-mode/hmac/sha2 are all breaking bumps (0.x minor-to-minor), and docs/dependency-security.md says Dependabot major bumps require manual migration/review (and typically attached audit artifacts) before merging. As-is this looks like it may violate that policy even if CI is green.

Severity: medium

Other Locations

• Cargo.toml:82
• Cargo.toml:83
• Cargo.toml:87
• Cargo.toml:88

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[augmentcode]

The Tier-0 pin comment still shows the old review timestamp/initials even though the pinned version changed; per docs/dependency-security.md “Pinning & Metadata”, the reviewer/timestamp note is supposed to reflect the approved version. Otherwise the manifest comment trail becomes misleading for crypto review/audit purposes.

Severity: low

Other Locations

• Cargo.toml:81
• Cargo.toml:82
• Cargo.toml:83
• Cargo.toml:87
• Cargo.toml:88

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}