From 41cf18dc366d29b2b62f8802e2ed90e1b1841b21 Mon Sep 17 00:00:00 2001
From: Rusty Conover <rusty@conover.me>
Date: Tue, 23 Jun 2026 19:20:23 -0400
Subject: [PATCH] ci: ignore aes 0.9+ in dependabot (fpe still pins aes 0.8)

FF1 FPE runs through `fpe` (latest 0.6.1), which still requires aes ^0.8 /
cipher ^0.4. A direct aes 0.9 bump forces two incompatible aes/cipher majors
and won't compile, so dependabot's aes 0.9 PR (#6) is unmergeable. Hold aes on
0.8.x until fpe moves to cipher 0.5. No security driver (aes 0.8 has no
advisory; 0.8->0.9 is trait-API churn). Patches within 0.8.x still flow.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/dependabot.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 88bde89..cd5cc51 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -12,6 +12,18 @@ updates:
       arrow:
         patterns:
           - "arrow*"
+    ignore:
+      # FF1 format-preserving encryption runs through `fpe`, which still pins
+      # aes ^0.8 / cipher ^0.4. Bumping our direct `aes` past 0.8 forces two
+      # incompatible aes/cipher majors into the tree (one via fpe, one direct)
+      # and fails to compile. Hold aes on 0.8.x until `fpe` releases against
+      # cipher 0.5; then bump fpe + aes together. No security driver: aes 0.8
+      # has no advisory and 0.8->0.9 is pure trait-API churn. (Patches within
+      # 0.8.x are still allowed.)
+      - dependency-name: "aes"
+        update-types:
+          - "version-update:semver-minor"
+          - "version-update:semver-major"
     commit-message:
       prefix: "deps"