base64-ng defaults to zero external crates in the published package. That is
a security and maintenance choice: Base64 is infrastructure code, and every
new dependency expands the audit, license, advisory, and supply-chain surface.
Cargo.tomlhas no normal, build, or dev dependencies.scripts/validate-dependencies.shfails if the root crate dependency graph contains anything beyondbase64-ngitself.scripts/check_reserved_features.shverifies thattokio,kani, andfuzzingremain inert and dependency-free until admitted, and that deferred integration features such asserde,bytes,zeroize,subtle, andcriterionare not exposed before dependency admission.allow-wasm32-best-effort-wipeis a dependency-free policy feature, not a dependency admission. It is required to build forwasm32, where cleanup is limited to a compiler-fence-only wipe barrier.allow-compiler-fence-only-wipeis a dependency-free policy feature, not a dependency admission. It is required to build unsupported native architectures that do not have abase64-nghardware wipe barrier and therefore fall back to compiler-fence-only cleanup.base64_ng_aarch64_csdb_attestedis a dependency-free custom cfg operator attestation, not a dependency admission and not a Cargo feature. It should only be enabled after the deployment has evidence that the target AArch64 core treats CSDB as an effective speculation barrier for the CT result gate. Builds that set it reporthardware-speculation-barrier-build-assertedso audit logs preserve the operator-attestation boundary.base64-ng-sanitizationis an optional companion package for applications that already admitsanitization; it is not a dependency of the corebase64-ngpackage. Its1.2.xline requires an exactsanitization=1.2.4dependency so callers can usesanitization::ct::Choice, native constant-time-oriented equality helpers, and opt-in locked-secret fill APIs without adding dependencies to the core crate. Release review must verify the crates.io owner set forsanitizationbefore publishing companion updates because that crate sits directly in the optional secret-cleanup dependency chain.base64-ng-deriveis an optional companion package for fixed-size byte newtypes. It is dependency-free and does not add proc-macro machinery to the corebase64-ngpackage.base64-ng-serde,base64-ng-bytes,base64-ng-subtle, andbase64-ng-tokioare optional companion packages for applications that already admitserde,bytes,subtle, ortokio; they are not dependencies of the corebase64-ngpackage.- Fuzz, performance, and dudect-style timing harness dependencies are isolated
under
fuzz/,perf/, anddudect/; the standard local gate checks them separately from the published crate dependency graph. - CI toolchain setup requires
rustupandcargofrom the runner image. The repository script intentionally refuses unauthenticatedcurl | shrustup bootstrap during CI; missing toolchain managers are treated as infrastructure failures, not as a reason to execute freshly downloaded shell installers.
The v1.0 release keeps the core base64-ng package dependency-free.
Optional ecosystem integrations may be admitted only as separate companion
crates with their own dependency review and release checks.
Current decisions:
base64-ng-sanitizationis admitted as a companion crate because it keeps the core package dependency-free while giving applications that already usesanitizationa direct CT decode path into clear-on-drop secret containers. Its optionalhigh-assurancefeature admitssanitizationmemory-locking, canary-check, and random-canary features so supported native deployments can decode directly into locked mappings throughLockedSecretBytesorLockedSecretVec.base64-ng-deriveis admitted as a companion crate because it keeps proc-macro code and generated newtype ergonomics outside the core package. The derive surface is intentionally limited to tuple structs with one[u8; N]field.base64-ng-serdeis admitted as a companion crate because serialization remains explicit at the field boundary and does not hide alphabet or padding choices inside the core package.base64-ng-bytesis admitted as a companion crate because services that already usebytescan opt intoBytes,Buf, andBufMuthelpers without addingbytesto the core package.base64-ng-subtleis admitted as a companion crate because authentication, MAC, password-hash, and token verification boundaries can opt into a reviewedsubtle::ConstantTimeEqprimitive without addingsubtleto the core package.base64-ng-tokiois admitted as a companion crate for async read-all/write-all helpers, including caller-limited variants for peer-controlled request or frame boundaries, and manualAsyncRead/AsyncWritestreaming adapters with fixed buffers and drop cleanup. Writer adapters finalize pending Base64 tails duringAsyncWrite::poll_shutdown; callers must drive shutdown to completion before extracting the wrapped writer.- The core
tokiofeature remains reserved and inert by design. The async cancellation, drop cleanup, chunk-boundary, dependency, and release-evidence requirements have been satisfied forbase64-ng-tokio; moving Tokio into the core crate would require a separate dependency admission review. zeroizeremains deferred for the core crate; applications can combine their own approved dependencies with caller-owned buffers whilebase64-ngkeeps its audited local best-effort helpers dependency-free.subtleis admitted only throughbase64-ng-subtle, not through the core crate.- Property-testing and benchmark frameworks remain isolated or deferred; fuzz, dudect-style timing, and performance harnesses stay outside the published crate package.
Before adding any dependency to the published crate, the change must document:
- Why
core,alloc, orstdis not sufficient. - Whether the dependency is runtime, build-time, dev-only, feature-gated, or tool-only.
- The full transitive dependency graph.
- License compatibility with
MIT OR Apache-2.0. - RustSec advisory status and yanked-release status.
- Whether the dependency works under the crate's supported
no_stdfeature combinations. - Whether the dependency changes MSRV, build reproducibility, or target support.
- How the dependency is disabled for users who do not need the feature.
The release gate must remain clean after the change:
scripts/checks.sh
scripts/stable_release_gate.sh releaseAt minimum, evidence must include:
cargo treefor the affected feature set.cargo deny check.cargo audit.scripts/check_scheduled_advisories.shthrough the daily and manually dispatchable security-audit workflow.cargo license --json.- Updated release notes and migration/security documentation when the public API or threat model changes.
The following are rejected unless a specific review proves they are necessary:
- Helper crates for small bit manipulation, table generation, feature selection, error formatting, or simple CLI behavior.
- Git dependencies.
- Default-feature runtime dependencies.
- Dependencies with unclear licensing, unmaintained status, active security advisories, yanked releases, or unnecessary transitive graphs.
The following integrations are intentionally not admitted in the published core crate today:
tokio: the core feature remains reserved and inert. Usebase64-ng-tokiofor the admitted read-all/write-all helper surface and reader/writer streaming adapters. Prefer caller-limited helpers for peer-controlled input.serde: usebase64-ng-serdewhen explicit serialization wrappers or field-level modules for Standard, URL-safe, MIME, or PEM profiles are needed. The core crate does not admitserde.bytes: usebase64-ng-byteswhenBytes,Buf, orBufMutintegration is needed. The core crate does not admitbytes.zeroize: deferred unless a review proves that the dependency materially improves the documented best-effort cleanup posture beyond the current audited local helpers.subtle: usebase64-ng-subtlewhen protocol code needs a reviewed constant-time equality primitive for decoded or encoded buffers.- Criterion or other benchmark frameworks: keep benchmark evidence isolated unless the added dependency graph clearly improves release evidence quality.
These are product decisions as much as technical ones. The crate is allowed to remain smaller than the broader ecosystem when dependency-free APIs preserve explicit security semantics.
Downstream applications may still combine base64-ng with their own approved
dependencies. For example, a service with an existing zeroize policy can
decode into a caller-owned buffer with decode_slice_clear_tail and then call
Zeroize::zeroize() on that buffer after the protocol step is complete. That
keeps the published base64-ng crate dependency-free while allowing the
application to apply its local memory-cleanup policy at the ownership boundary.
This is the recommended pattern for deployments that require a dependency-backed
zeroization policy while still wanting base64-ng itself to remain a small,
auditable zero-runtime-dependency crate.
Fuzzing, benchmark, and timing-evidence dependencies may live in isolated workspaces only when they are not packaged with the published crate:
fuzz/dependencies are reviewed byscripts/check_fuzz.sh.perf/dependencies are reviewed byscripts/check_perf.sh.dudect/dependencies are reviewed byscripts/check_dudect.sh.crates/base64-ng-sanitization/,crates/base64-ng-derive/,crates/base64-ng-serde/,crates/base64-ng-bytes/,crates/base64-ng-subtle/, andcrates/base64-ng-tokio/are optional companion crates, not dependencies of the corebase64-ngpackage. They are reviewed separately byscripts/check_companion_crates.shso the root package keeps its zero-runtime-dependency guarantee.
scripts/checks.sh runs those isolated harness checks so ordinary local
verification catches harness dependency drift before release-only evidence
steps.
Those isolated dependencies do not weaken the zero-dependency guarantee for the published core crate.