metamorphic-crypto 0.10.5

Zero-knowledge end-to-end encryption with post-quantum hybrid KEM (ML-KEM + X25519) and an opt-in CNSA 2.0 suite axis (matched-strength hybrid + pure ML-KEM-1024 / ML-DSA-87 / AES-256-GCM)
Documentation
version: 2
updates:
  # Keep SHA-pinned GitHub Actions current. Dependabot opens PRs that bump
  # both the pinned commit SHA and the trailing version comment.
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly
    groups:
      # Collapse all action bumps into a single weekly PR instead of one per
      # action. Review the changelogs together, then merge once.
      github-actions:
        patterns:
          - "*"

  # Cargo dependency updates for the crate itself.
  - package-ecosystem: cargo
    directory: /
    schedule:
      interval: weekly
    ignore:
      # `sha3` and `sha2` are intentionally held at the 0.11 line: the
      # transitive `ml-kem 0.3.x` dependency requires `sha3 ^0.11`, and `sha2`
      # must share the same `digest 0.11` to keep a single `digest`/`keccak`
      # version in the tree (see CHANGELOG v0.3.7 / v0.4.0). A bump to 0.12 on
      # either crate cannot unify with `ml-kem` and will fail to compile, so
      # those PRs are noise until `ml-kem` itself moves to `sha3 0.12`.
      # Re-evaluate (and drop this ignore) when `ml-kem` bumps `sha3`.
      - dependency-name: "sha3"
        update-types: ["version-update:semver-minor"]
      - dependency-name: "sha2"
        update-types: ["version-update:semver-minor"]
    groups:
      # Batch low-risk patch/minor bumps. Major bumps (and 0.x minor bumps,
      # which are breaking) stay as separate PRs so cryptography dependencies
      # get individual review.
      cargo-minor:
        update-types:
          - "minor"
          - "patch"