deps: Bump aes from 0.8.4 to 0.9.1

[dependabot]

Bumps aes from 0.8.4 to 0.9.1.

Commits

• 507938c Release aes v0.9.1 (#563)
• 957dba9 aes: fix min version of zeroize and build warnings on AArch64 (#562)
• c69a235 Release new versions dependent on cipher v0.5 (#553)
• 582b178 Move gift to gift-cipher and speck to speck-cipher (#554)
• 001e740 Adopt Trusted Publishing (#552)
• d908618 Release aes v0.9.0 (#539)
• b612904 aes: remove zeroize_works test (#551)
• 042fa86 Update Cargo.lock (#547)
• 7290b2b ci: use Dependabot to update Cargo.lock (#546)
• d1910c1 ci: bump actions/checkout to v6 (#545)
• Additional commits viewable in compare view

[rustyconover]

Holding — not merging yet. aes 0.9 moves to cipher 0.5, but fpe 0.6 (FF1 format-preserving encryption) requires aes 0.8 / cipher 0.4 — Aes256: BlockCipher is no longer satisfied for fpe (verified locally). Blocked until fpe supports aes 0.9. Leaving open as a tracker.

[rustyconover]

Still holding (unaffected by today's vgi 0.6 / Rust 1.90 bump); blocked on the crypto API change / fpe requiring aes 0.8.

[rustyconover]

Holding this open as a tracker — not mergeable yet. fpe (latest 0.6.1) still pins aes ^0.8 / cipher ^0.4, so bumping our direct aes to 0.9 would force cargo to resolve two aes/cipher majors (one via fpe, one direct) and fail to compile. The FF1 format-preserving encryption goes through fpe, so we can't move aes to 0.9 until fpe releases against aes 0.9 / cipher 0.5. Leaving open so dependabot keeps it visible.

[rustyconover]

Closing — aes 0.9 is unmergeable while fpe (latest 0.6.1) still pins aes ^0.8 / cipher ^0.4 (a direct aes 0.9 bump pulls two incompatible aes/cipher majors into the tree and fails to compile). FF1 FPE goes through fpe, so aes can't move until fpe releases against cipher 0.5 — at which point we bump fpe + aes together. Dependabot is now configured to ignore aes 0.9+ (vgi-mask#8, vgi-proxy#2) so this won't be re-opened. No security impact: aes 0.8 has no advisory; the bump is pure trait-API churn.

[dependabot]

Looks like aes is no longer being updated by Dependabot, so this is no longer needed.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.