fix account key rotation (#6105 )

Update crates (#6100 )
Updated crates and made adjustments where needed. Also removed a struct which wasn't used and the nightly compiler complained about it. Used pinact to update GitHub Actions. Validated GitHub Actions with zizmor. Signed-off-by: BlackDex <black.dex@gmail.com>
2025-09-09 18:25:58 +03:00 · 2025-07-27 12:18:54 +02:00 · 2025-07-26 14:58:39 +02:00 · 2025-07-25 20:58:41 +02:00 · 2025-07-25 18:17:55 +02:00 · 2025-07-14 22:01:20 +02:00
17 changed files with 426 additions and 250 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,5 +1,6 @@
 /.github @dani-garcia @BlackDex
 /.github/** @dani-garcia @BlackDex
 /.github/CODEOWNERS @dani-garcia @BlackDex
+/.github/ISSUE_TEMPLATE/** @dani-garcia @BlackDex
 /.github/workflows/** @dani-garcia @BlackDex
 /SECURITY.md @dani-garcia @BlackDex
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -8,15 +8,30 @@ body:
      value: |
        Thanks for taking the time to fill out this bug report!

-        Please *do not* submit feature requests or ask for help on how to configure Vaultwarden here.
+        Please **do not** submit feature requests or ask for help on how to configure Vaultwarden here!

        The [GitHub Discussions](https://github.com/dani-garcia/vaultwarden/discussions/) has sections for Questions and Ideas.

+        Our [Wiki](https://github.com/dani-garcia/vaultwarden/wiki/) has topics on how to configure Vaultwarden.
+
        Also, make sure you are running [![GitHub Release](https://img.shields.io/github/release/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/releases/latest) of Vaultwarden!
-        And search for existing open or closed issues or discussions regarding your topic before posting.

        Be sure to check and validate the Vaultwarden Admin Diagnostics (`/admin/diagnostics`) page for any errors!
        See here [how to enable the admin page](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page).
+
+        > [!IMPORTANT]
+        > ## :bangbang: Search for existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) regarding your topic before posting! :bangbang:
+  #
+  - type: checkboxes
+    id: checklist
+    attributes:
+      label: Prerequisites
+      description: Please confirm you have completed the following before submitting an issue!
+      options:
+        - label: I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=)
+          required: true
+        - label: I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/)
+          required: true
  #
  - id: support-string
    type: textarea
@@ -36,7 +51,7 @@ body:
    attributes:
      label: Vaultwarden Build Version
      description: What version of Vaultwarden are you running?
-      placeholder: ex. v1.31.0 or v1.32.0-3466a804
+      placeholder: ex. v1.34.0 or v1.34.1-53f58b14
    validations:
      required: true
  #
@@ -67,7 +82,7 @@ body:
    attributes:
      label: Reverse Proxy
      description: Are you using a reverse proxy, if so which and what version?
-      placeholder: ex. nginx 1.26.2, caddy 2.8.4, traefik 3.1.2, haproxy 3.0
+      placeholder: ex. nginx 1.29.0, caddy 2.10.0, traefik 3.4.4, haproxy 3.2
    validations:
      required: true
  #
@@ -115,7 +130,7 @@ body:
    attributes:
      label: Client Version
      description: What version(s) of the client(s) are you seeing the problem on?
-      placeholder: ex. CLI v2024.7.2, Firefox 130 - v2024.7.0
+      placeholder: ex. CLI v2025.7.0, Firefox 140 - v2025.6.1
  #
  - id: reproduce
    type: textarea
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -66,13 +66,15 @@ jobs:
      - name: Init Variables
        id: toolchain
        shell: bash
+        env:
+          CHANNEL: ${{ matrix.channel }}
        run: |
-          if [[ "${{ matrix.channel }}" == 'rust-toolchain' ]]; then
+          if [[ "${CHANNEL}" == 'rust-toolchain' ]]; then
            RUST_TOOLCHAIN="$(grep -oP 'channel.*"(\K.*?)(?=")' rust-toolchain.toml)"
-          elif [[ "${{ matrix.channel }}" == 'msrv' ]]; then
+          elif [[ "${CHANNEL}" == 'msrv' ]]; then
            RUST_TOOLCHAIN="$(grep -oP 'rust-version.*"(\K.*?)(?=")' Cargo.toml)"
          else
-            RUST_TOOLCHAIN="${{ matrix.channel }}"
+            RUST_TOOLCHAIN="${CHANNEL}"
          fi
          echo "RUST_TOOLCHAIN=${RUST_TOOLCHAIN}" | tee -a "${GITHUB_OUTPUT}"
      # End Determine rust-toolchain version
@@ -80,7 +82,7 @@ jobs:

      # Only install the clippy and rustfmt components on the default rust-toolchain
      - name: "Install rust-toolchain version"
-        uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 # master @ Mar 18, 2025, 8:14 PM GMT+1
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master @ Apr 29, 2025, 9:22 PM GMT+2
        if: ${{ matrix.channel == 'rust-toolchain' }}
        with:
          toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
@@ -90,7 +92,7 @@ jobs:

      # Install the any other channel to be used for which we do not execute clippy and rustfmt
      - name: "Install MSRV version"
-        uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 # master @ Mar 18, 2025, 8:14 PM GMT+1
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master @ Apr 29, 2025, 9:22 PM GMT+2
        if: ${{ matrix.channel != 'rust-toolchain' }}
        with:
          toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
@@ -115,7 +117,7 @@ jobs:

      # Enable Rust Caching
      - name: Rust Caching
-        uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
+        uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
        with:
          # Use a custom prefix-key to force a fresh start. This is sometimes needed with bigger changes.
          # Like changing the build host from Ubuntu 20.04 to 22.04 for example.
--- a/.github/workflows/check-templates.yml
+++ b/.github/workflows/check-templates.yml
@@ -4,7 +4,8 @@ permissions: {}
 on: [ push, pull_request ]

 jobs:
-  docker-templates:	
+  docker-templates:
+    name: Validate docker templates
    permissions:
      contents: read
    runs-on: ubuntu-24.04
@@ -20,7 +21,7 @@ jobs:

      - name: Run make to rebuild templates
        working-directory: docker
-        run: make 
+        run: make

      - name: Check for unstaged changes
        working-directory: docker
--- a/.github/workflows/hadolint.yml
+++ b/.github/workflows/hadolint.yml
@@ -14,7 +14,7 @@ jobs:
    steps:
      # Start Docker Buildx
      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
        # https://github.com/moby/buildkit/issues/3969
        # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills
        with:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -47,7 +47,7 @@ jobs:
    # Start a local docker registry to extract the compiled binaries to upload as artifacts and attest them
    services:
      registry:
-        image: registry:2
+        image: registry@sha256:1fc7de654f2ac1247f0b67e8a459e273b0993be7d2beda1f3f56fbf1001ed3e7 # v3.0.0
        ports:
          - 5000:5000
    env:
@@ -76,7 +76,7 @@ jobs:

      # Start Docker Buildx
      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
        # https://github.com/moby/buildkit/issues/3969
        # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills
        with:
@@ -192,7 +192,7 @@ jobs:

      - name: Bake ${{ matrix.base_image }} containers
        id: bake_vw
-        uses: docker/bake-action@4ba453fbc2db7735392b93edf935aaf9b1e8f747 # v6.5.0
+        uses: docker/bake-action@37816e747588cb137173af99ab33873600c46ea8 # v6.8.0
        env:
          BASE_TAGS: "${{ env.BASE_TAGS }}"
          SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}"
@@ -213,14 +213,15 @@ jobs:
        shell: bash
        env:
          BAKE_METADATA: ${{ steps.bake_vw.outputs.metadata }}
+          BASE_IMAGE: ${{ matrix.base_image }}
        run: |
-          GET_DIGEST_SHA="$(jq -r '.["${{ matrix.base_image }}-multi"]."containerimage.digest"' <<< "${BAKE_METADATA}")"
+          GET_DIGEST_SHA="$(jq -r --arg base "$BASE_IMAGE" '.[$base + "-multi"]."containerimage.digest"' <<< "${BAKE_METADATA}")"
          echo "DIGEST_SHA=${GET_DIGEST_SHA}" | tee -a "${GITHUB_ENV}"

      # Attest container images
      - name: Attest - docker.io - ${{ matrix.base_image }}
        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}}
-        uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
+        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
        with:
          subject-name: ${{ vars.DOCKERHUB_REPO }}
          subject-digest: ${{ env.DIGEST_SHA }}
@@ -228,7 +229,7 @@ jobs:

      - name: Attest - ghcr.io - ${{ matrix.base_image }}
        if: ${{ env.HAVE_GHCR_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}}
-        uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
+        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
        with:
          subject-name: ${{ vars.GHCR_REPO }}
          subject-digest: ${{ env.DIGEST_SHA }}
@@ -236,7 +237,7 @@ jobs:

      - name: Attest - quay.io - ${{ matrix.base_image }}
        if: ${{ env.HAVE_QUAY_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}}
-        uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
+        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
        with:
          subject-name: ${{ vars.QUAY_REPO }}
          subject-digest: ${{ env.DIGEST_SHA }}
@@ -248,6 +249,7 @@ jobs:
        shell: bash
        env:
          REF_TYPE: ${{ github.ref_type }}
+          BASE_IMAGE: ${{ matrix.base_image }}
        run: |
          # Check which main tag we are going to build determined by ref_type
          if [[ "${REF_TYPE}" == "tag" ]]; then
@@ -257,7 +259,7 @@ jobs:
          fi

          # Check which base_image was used and append -alpine if needed
-          if [[ "${{ matrix.base_image }}" == "alpine" ]]; then
+          if [[ "${BASE_IMAGE}" == "alpine" ]]; then
            EXTRACT_TAG="${EXTRACT_TAG}-alpine"
          fi

@@ -266,25 +268,25 @@ jobs:

          # Extract amd64 binary
          docker create --name amd64 --platform=linux/amd64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
-          docker cp amd64:/vaultwarden vaultwarden-amd64-${{ matrix.base_image }}
+          docker cp amd64:/vaultwarden vaultwarden-amd64-${BASE_IMAGE}
          docker rm --force amd64
          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"

          # Extract arm64 binary
          docker create --name arm64 --platform=linux/arm64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
-          docker cp arm64:/vaultwarden vaultwarden-arm64-${{ matrix.base_image }}
+          docker cp arm64:/vaultwarden vaultwarden-arm64-${BASE_IMAGE}
          docker rm --force arm64
          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"

          # Extract armv7 binary
          docker create --name armv7 --platform=linux/arm/v7 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
-          docker cp armv7:/vaultwarden vaultwarden-armv7-${{ matrix.base_image }}
+          docker cp armv7:/vaultwarden vaultwarden-armv7-${BASE_IMAGE}
          docker rm --force armv7
          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"

          # Extract armv6 binary
          docker create --name armv6 --platform=linux/arm/v6 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
-          docker cp armv6:/vaultwarden vaultwarden-armv6-${{ matrix.base_image }}
+          docker cp armv6:/vaultwarden vaultwarden-armv6-${BASE_IMAGE}
          docker rm --force armv6
          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"

@@ -314,7 +316,7 @@ jobs:
          path: vaultwarden-armv6-${{ matrix.base_image }}

      - name: "Attest artifacts ${{ matrix.base_image }}"
-        uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
+        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
        with:
          subject-path: vaultwarden-*
      # End Upload artifacts to Github Actions
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -36,7 +36,7 @@ jobs:
          persist-credentials: false

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # v0.30.0
+        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
        env:
          TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
          TRIVY_JAVA_DB_REPOSITORY: docker.io/aquasec/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
@@ -48,6 +48,6 @@ jobs:
          severity: CRITICAL,HIGH

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@86b04fb0e47484f7282357688f21d5d0e32175fe # v3.27.5
+        uses: github/codeql-action/upload-sarif@4e828ff8d448a8a6e532957b1811f387a63867e8 # v3.29.4
        with:
          sarif_file: 'trivy-results.sarif'
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,28 @@
+name: Security Analysis with zizmor
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1
+        with:
+          # intentionally not scanning the entire repository,
+          # since it contains integration tests.
+          inputs: ./.github/
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -116,9 +116,9 @@ dependencies = [

 [[package]]
 name = "async-channel"
-version = "2.3.1"
+version = "2.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "89b47800b0be77592da0afd425cc03468052844aff33b84e33cc696f64e77b6a"
+checksum = "924ed96dd52d1b75e9c1a3e6275715fd320f5f9439fb5a4a11fa51f4221158d2"
 dependencies = [
 "concurrent-queue",
 "event-listener-strategy",
@@ -128,9 +128,9 @@ dependencies = [

 [[package]]
 name = "async-compression"
-version = "0.4.25"
+version = "0.4.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "40f6024f3f856663b45fd0c9b6f2024034a702f453549449e0d84a305900dad4"
+checksum = "ddb939d66e4ae03cee6091612804ba446b12878410cfa17f785f4dd67d4014e8"
 dependencies = [
 "brotli",
 "flate2",
@@ -162,7 +162,7 @@ version = "2.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "05b1b633a2115cd122d73b955eadd9916c18c8f510ec9cd1686404c60ad1c29c"
 dependencies = [
- "async-channel 2.3.1",
+ "async-channel 2.5.0",
 "async-executor",
 "async-io",
 "async-lock",
@@ -173,9 +173,9 @@ dependencies = [

 [[package]]
 name = "async-io"
-version = "2.4.1"
+version = "2.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1237c0ae75a0f3765f58910ff9cdd0a12eeb39ab2f4c7de23262f337f0aacbb3"
+checksum = "19634d6336019ef220f09fd31168ce5c184b295cbf80345437cc36094ef223ca"
 dependencies = [
 "async-lock",
 "cfg-if",
@@ -186,8 +186,7 @@ dependencies = [
 "polling",
 "rustix",
 "slab",
- "tracing",
- "windows-sys 0.59.0",
+ "windows-sys 0.60.2",
 ]

 [[package]]
@@ -203,11 +202,11 @@ dependencies = [

 [[package]]
 name = "async-process"
-version = "2.3.1"
+version = "2.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cde3f4e40e6021d7acffc90095cbd6dc54cb593903d1de5832f435eb274b85dc"
+checksum = "65daa13722ad51e6ab1a1b9c01299142bc75135b337923cfa10e79bbbd669f00"
 dependencies = [
- "async-channel 2.3.1",
+ "async-channel 2.5.0",
 "async-io",
 "async-lock",
 "async-signal",
@@ -217,14 +216,13 @@ dependencies = [
 "event-listener 5.4.0",
 "futures-lite",
 "rustix",
- "tracing",
 ]

 [[package]]
 name = "async-signal"
-version = "0.2.11"
+version = "0.2.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d7605a4e50d4b06df3898d5a70bf5fde51ed9059b0434b73105193bc27acce0d"
+checksum = "f567af260ef69e1d52c2b560ce0ea230763e6fbb9214a85d768760a920e3e3c1"
 dependencies = [
 "async-io",
 "async-lock",
@@ -235,7 +233,7 @@ dependencies = [
 "rustix",
 "signal-hook-registry",
 "slab",
- "windows-sys 0.59.0",
+ "windows-sys 0.60.2",
 ]

 [[package]]
@@ -333,9 +331,9 @@ checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"

 [[package]]
 name = "aws-config"
-version = "1.8.0"
+version = "1.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "455e9fb7743c6f6267eb2830ccc08686fbb3d13c9a689369562fd4d4ef9ea462"
+checksum = "c0baa720ebadea158c5bda642ac444a2af0cdf7bb66b46d1e4533de5d1f449d0"
 dependencies = [
 "aws-credential-types",
 "aws-runtime",
@@ -363,9 +361,9 @@ dependencies = [

 [[package]]
 name = "aws-credential-types"
-version = "1.2.3"
+version = "1.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "687bc16bc431a8533fe0097c7f0182874767f920989d7260950172ae8e3c4465"
+checksum = "b68c2194a190e1efc999612792e25b1ab3abfefe4306494efaaabc25933c0cbe"
 dependencies = [
 "aws-smithy-async",
 "aws-smithy-runtime-api",
@@ -375,9 +373,9 @@ dependencies = [

 [[package]]
 name = "aws-runtime"
-version = "1.5.8"
+version = "1.5.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4f6c68419d8ba16d9a7463671593c54f81ba58cab466e9b759418da606dcc2e2"
+checksum = "b2090e664216c78e766b6bac10fe74d2f451c02441d43484cd76ac9a295075f7"
 dependencies = [
 "aws-credential-types",
 "aws-sigv4",
@@ -399,9 +397,9 @@ dependencies = [

 [[package]]
 name = "aws-sdk-sso"
-version = "1.73.0"
+version = "1.78.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b2ac1674cba7872061a29baaf02209fefe499ff034dfd91bd4cc59e4d7741489"
+checksum = "dbd7bc4bd34303733bded362c4c997a39130eac4310257c79aae8484b1c4b724"
 dependencies = [
 "aws-credential-types",
 "aws-runtime",
@@ -421,9 +419,9 @@ dependencies = [

 [[package]]
 name = "aws-sdk-ssooidc"
-version = "1.74.0"
+version = "1.79.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3a6a22f077f5fd3e3c0270d4e1a110346cddf6769e9433eb9e6daceb4ca3b149"
+checksum = "77358d25f781bb106c1a69531231d4fd12c6be904edb0c47198c604df5a2dbca"
 dependencies = [
 "aws-credential-types",
 "aws-runtime",
@@ -443,9 +441,9 @@ dependencies = [

 [[package]]
 name = "aws-sdk-sts"
-version = "1.75.0"
+version = "1.80.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e3258fa707f2f585ee3049d9550954b959002abd59176975150a01d5cf38ae3f"
+checksum = "06e3ed2a9b828ae7763ddaed41d51724d2661a50c45f845b08967e52f4939cfc"
 dependencies = [
 "aws-credential-types",
 "aws-runtime",
@@ -499,9 +497,9 @@ dependencies = [

 [[package]]
 name = "aws-smithy-http"
-version = "0.62.1"
+version = "0.62.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "99335bec6cdc50a346fda1437f9fefe33abf8c99060739a546a16457f2862ca9"
+checksum = "43c82ba4cab184ea61f6edaafc1072aad3c2a17dcf4c0fce19ac5694b90d8b5f"
 dependencies = [
 "aws-smithy-runtime-api",
 "aws-smithy-types",
@@ -547,9 +545,9 @@ dependencies = [

 [[package]]
 name = "aws-smithy-runtime"
-version = "1.8.3"
+version = "1.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "14302f06d1d5b7d333fd819943075b13d27c7700b414f574c3c35859bfb55d5e"
+checksum = "660f70d9d8af6876b4c9aa8dcb0dbaf0f89b04ee9a4455bea1b4ba03b15f26f6"
 dependencies = [
 "aws-smithy-async",
 "aws-smithy-http",
@@ -570,9 +568,9 @@ dependencies = [

 [[package]]
 name = "aws-smithy-runtime-api"
-version = "1.8.1"
+version = "1.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bd8531b6d8882fd8f48f82a9754e682e29dd44cff27154af51fa3eb730f59efb"
+checksum = "937a49ecf061895fca4a6dd8e864208ed9be7546c0527d04bc07d502ec5fba1c"
 dependencies = [
 "aws-smithy-async",
 "aws-smithy-types",
@@ -619,9 +617,9 @@ dependencies = [

 [[package]]
 name = "aws-types"
-version = "1.3.7"
+version = "1.3.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8a322fec39e4df22777ed3ad8ea868ac2f94cd15e1a55f6ee8d8d6305057689a"
+checksum = "b069d19bf01e46298eaedd7c6f283fe565a59263e53eebec945f3e6398f42390"
 dependencies = [
 "aws-credential-types",
 "aws-smithy-async",
@@ -745,11 +743,11 @@ dependencies = [

 [[package]]
 name = "blocking"
-version = "1.6.1"
+version = "1.6.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "703f41c54fc768e63e091340b424302bb1c29ef4aa0c7f10fe849dfb114d29ea"
+checksum = "e83f8d02be6967315521be875afa792a316e28d57b5a2d401897e2a7921b7f21"
 dependencies = [
- "async-channel 2.3.1",
+ "async-channel 2.5.0",
 "async-task",
 "futures-io",
 "futures-lite",
@@ -813,16 +811,16 @@ dependencies = [

 [[package]]
 name = "cached"
-version = "0.55.1"
+version = "0.56.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b0839c297f8783316fcca9d90344424e968395413f0662a5481f79c6648bbc14"
+checksum = "801927ee168e17809ab8901d9f01f700cd7d8d6a6527997fee44e4b0327a253c"
 dependencies = [
 "ahash",
 "async-trait",
 "cached_proc_macro",
 "cached_proc_macro_types",
 "futures",
- "hashbrown 0.14.5",
+ "hashbrown 0.15.4",
 "once_cell",
 "thiserror 2.0.12",
 "tokio",
@@ -831,9 +829,9 @@ dependencies = [

 [[package]]
 name = "cached_proc_macro"
-version = "0.24.0"
+version = "0.25.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "673992d934f0711b68ebb3e1b79cdc4be31634b37c98f26867ced0438ca5c603"
+checksum = "9225bdcf4e4a9a4c08bf16607908eb2fbf746828d5e0b5e019726dbf6571f201"
 dependencies = [
 "darling",
 "proc-macro2",
@@ -858,9 +856,9 @@ dependencies = [

 [[package]]
 name = "cc"
-version = "1.2.27"
+version = "1.2.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d487aa071b5f64da6f19a3e848e3578944b726ee5a4854b82172f02aa876bfdc"
+checksum = "deec109607ca693028562ed836a5f1c4b8bd77755c4e132fc5ce11b0b6211ae7"
 dependencies = [
 "jobserver",
 "libc",
@@ -896,23 +894,12 @@ dependencies = [

 [[package]]
 name = "chrono-tz"
-version = "0.10.3"
+version = "0.10.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "efdce149c370f133a071ca8ef6ea340b7b88748ab0810097a9e2976eaa34b4f3"
+checksum = "a6139a8597ed92cf816dfb33f5dd6cf0bb93a6adc938f11039f371bc5bcd26c3"
 dependencies = [
 "chrono",
- "chrono-tz-build",
- "phf",
-]
-
-[[package]]
-name = "chrono-tz-build"
-version = "0.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f10f8c9340e31fc120ff885fcdb54a0b48e474bbd77cab557f0c30a3e569402"
-dependencies = [
- "parse-zoneinfo",
- "phf_codegen",
+ "phf 0.12.1",
 ]

 [[package]]
@@ -1051,9 +1038,9 @@ dependencies = [

 [[package]]
 name = "crc32fast"
-version = "1.4.2"
+version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a97769d94ddab943e4510d138150169a2758b5ef3eb191a9ee688de3e23ef7b3"
+checksum = "9481c1c90cbf2ac953f07c8d4a58aa3945c425b7185c9154d67a65e4230da511"
 dependencies = [
 "cfg-if",
 ]
@@ -1283,9 +1270,9 @@ dependencies = [

 [[package]]
 name = "diesel"
-version = "2.2.11"
+version = "2.2.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a917a9209950404d5be011c81d081a2692a822f73c3d6af586f0cab5ff50f614"
+checksum = "229850a212cd9b84d4f0290ad9d294afc0ae70fccaa8949dbe8b43ffafa1e20c"
 dependencies = [
 "bigdecimal",
 "bitflags",
@@ -1318,9 +1305,9 @@ dependencies = [

 [[package]]
 name = "diesel_derives"
-version = "2.2.6"
+version = "2.2.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "52841e97814f407b895d836fa0012091dff79c6268f39ad8155d384c21ae0d26"
+checksum = "1b96984c469425cb577bf6f17121ecb3e4fe1e81de5d8f780dd372802858d756"
 dependencies = [
 "diesel_table_macro_syntax",
 "dsl_auto_type",
@@ -1542,7 +1529,7 @@ dependencies = [
 "atomic 0.6.1",
 "pear",
 "serde",
- "toml",
+ "toml 0.8.23",
 "uncased",
 "version_check",
 ]
@@ -1806,7 +1793,7 @@ dependencies = [
 "parking_lot",
 "portable-atomic",
 "quanta",
- "rand 0.9.1",
+ "rand 0.9.2",
 "smallvec",
 "spinning_top",
 "web-time",
@@ -1822,7 +1809,7 @@ dependencies = [
 "indexmap",
 "lasso",
 "once_cell",
- "phf",
+ "phf 0.11.3",
 ]

 [[package]]
@@ -1922,7 +1909,7 @@ dependencies = [
 "idna",
 "ipnet",
 "once_cell",
- "rand 0.9.1",
+ "rand 0.9.2",
 "ring",
 "thiserror 2.0.12",
 "tinyvec",
@@ -1944,7 +1931,7 @@ dependencies = [
 "moka",
 "once_cell",
 "parking_lot",
- "rand 0.9.1",
+ "rand 0.9.2",
 "resolv-conf",
 "smallvec",
 "thiserror 2.0.12",
@@ -2074,7 +2061,7 @@ dependencies = [
 "httpdate",
 "itoa",
 "pin-project-lite",
- "socket2",
+ "socket2 0.5.10",
 "tokio",
 "tower-service",
 "tracing",
@@ -2110,7 +2097,7 @@ dependencies = [
 "http 1.3.1",
 "hyper 1.6.0",
 "hyper-util",
- "rustls 0.23.28",
+ "rustls 0.23.29",
 "rustls-native-certs",
 "rustls-pki-types",
 "tokio",
@@ -2121,9 +2108,9 @@ dependencies = [

 [[package]]
 name = "hyper-util"
-version = "0.1.14"
+version = "0.1.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dc2fdfdbff08affe55bb779f33b053aa1fe5dd5b54c257343c17edfa55711bdb"
+checksum = "8d9b05277c7e8da2c93a568989bb6207bef0112e8d17df7a6eda4a3cf143bc5e"
 dependencies = [
 "base64 0.22.1",
 "bytes",
@@ -2137,7 +2124,7 @@ dependencies = [
 "libc",
 "percent-encoding",
 "pin-project-lite",
- "socket2",
+ "socket2 0.6.0",
 "system-configuration",
 "tokio",
 "tower-service",
@@ -2309,13 +2296,24 @@ dependencies = [
 "generic-array",
 ]

+[[package]]
+name = "io-uring"
+version = "0.7.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d93587f37623a1a17d94ef2bc9ada592f5465fe7732084ab7beefabe5c77c0c4"
+dependencies = [
+ "bitflags",
+ "cfg-if",
+ "libc",
+]
+
 [[package]]
 name = "ipconfig"
 version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b58db92f96b720de98181bbbe63c831e87005ab460c1bf306eb2622b4707997f"
 dependencies = [
- "socket2",
+ "socket2 0.5.10",
 "widestring",
 "windows-sys 0.48.0",
 "winreg",
@@ -2455,10 +2453,10 @@ dependencies = [
 "nom 8.0.0",
 "percent-encoding",
 "quoted_printable",
- "rustls 0.23.28",
+ "rustls 0.23.29",
 "rustls-native-certs",
 "serde",
- "socket2",
+ "socket2 0.5.10",
 "tokio",
 "tokio-rustls 0.26.2",
 "tracing",
@@ -2489,9 +2487,9 @@ dependencies = [

 [[package]]
 name = "libsqlite3-sys"
-version = "0.33.0"
+version = "0.35.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "947e6816f7825b2b45027c2c32e7085da9934defa535de4a6a46b10a4d5257fa"
+checksum = "133c182a6a2c87864fe97778797e46c7e999672690dc9fa3ee8e241aa4a9c13f"
 dependencies = [
 "cc",
 "pkg-config",
@@ -2512,9 +2510,9 @@ checksum = "241eaef5fd12c88705a01fc1066c48c4b36e0dd4377dcdc7ec3942cea7a69956"

 [[package]]
 name = "litrs"
-version = "0.4.1"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b4ce301924b7887e9d637144fdade93f9dfff9b60981d4ac161db09720d39aa5"
+checksum = "f5e54036fe321fd421e10d732f155734c4e4afd610dd556d9a82833ab3ee0bed"

 [[package]]
 name = "lock_api"
@@ -2604,12 +2602,12 @@ checksum = "32a282da65faaf38286cf3be983213fcf1d2e2a58700e808f83f4ea9a4804bc0"

 [[package]]
 name = "migrations_internals"
-version = "2.2.0"
+version = "2.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fd01039851e82f8799046eabbb354056283fb265c8ec0996af940f4e85a380ff"
+checksum = "3bda1634d70d5bd53553cf15dca9842a396e8c799982a3ad22998dc44d961f24"
 dependencies = [
 "serde",
- "toml",
+ "toml 0.9.2",
 ]

 [[package]]
@@ -2877,12 +2875,11 @@ dependencies = [

 [[package]]
 name = "opendal"
-version = "0.53.3"
+version = "0.54.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f947c4efbca344c1a125753366033c8107f552b2e3f8251815ed1908f116ca3e"
+checksum = "ffb9838d0575c6dbaf3fcec7255af8d5771996d4af900bbb6fa9a314dec00a1a"
 dependencies = [
 "anyhow",
- "async-trait",
 "backon",
 "base64 0.22.1",
 "bytes",
@@ -2938,9 +2935,9 @@ checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"

 [[package]]
 name = "openssl-src"
-version = "300.5.0+3.5.0"
+version = "300.5.1+3.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e8ce546f549326b0e6052b649198487d91320875da901e7bd11a06d1ee3f9c2f"
+checksum = "735230c832b28c000e3bc117119e6466a663ec73506bc0a9907ea4187508e42a"
 dependencies = [
 "cc",
 ]
@@ -3009,15 +3006,6 @@ dependencies = [
 "windows-targets 0.52.6",
 ]

-[[package]]
-name = "parse-zoneinfo"
-version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1f2a05b18d44e2957b88f96ba460715e295bc1d7510468a2f3d3b44535d26c24"
-dependencies = [
- "regex",
-]
-
 [[package]]
 name = "password-hash"
 version = "0.5.0"
@@ -3150,17 +3138,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1fd6780a80ae0c52cc120a26a1a42c1ae51b247a253e4e06113d23d2c2edd078"
 dependencies = [
 "phf_macros",
- "phf_shared",
+ "phf_shared 0.11.3",
 ]

 [[package]]
-name = "phf_codegen"
-version = "0.11.3"
+name = "phf"
+version = "0.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "aef8048c789fa5e851558d709946d6d79a8ff88c0440c587967f8e94bfb1216a"
+checksum = "913273894cec178f401a31ec4b656318d95473527be05c0752cc41cdc32be8b7"
 dependencies = [
- "phf_generator",
- "phf_shared",
+ "phf_shared 0.12.1",
 ]

 [[package]]
@@ -3169,7 +3156,7 @@ version = "0.11.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3c80231409c20246a13fddb31776fb942c38553c51e871f8cbd687a4cfb5843d"
 dependencies = [
- "phf_shared",
+ "phf_shared 0.11.3",
 "rand 0.8.5",
 ]

@@ -3180,7 +3167,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f84ac04429c13a7ff43785d75ad27569f2951ce0ffd30a3321230db2fc727216"
 dependencies = [
 "phf_generator",
- "phf_shared",
+ "phf_shared 0.11.3",
 "proc-macro2",
 "quote",
 "syn",
@@ -3195,6 +3182,15 @@ dependencies = [
 "siphasher",
 ]

+[[package]]
+name = "phf_shared"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "06005508882fb681fd97892ecff4b7fd0fee13ef1aa569f8695dae7ab9099981"
+dependencies = [
+ "siphasher",
+]
+
 [[package]]
 name = "pico-args"
 version = "0.5.0"
@@ -3270,17 +3266,16 @@ checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c"

 [[package]]
 name = "polling"
-version = "3.8.0"
+version = "3.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b53a684391ad002dd6a596ceb6c74fd004fdce75f4be2e3f615068abbea5fd50"
+checksum = "8ee9b2fa7a4517d2c91ff5bc6c297a427a96749d15f98fcdbb22c05571a4d4b7"
 dependencies = [
 "cfg-if",
 "concurrent-queue",
 "hermit-abi",
 "pin-project-lite",
 "rustix",
- "tracing",
- "windows-sys 0.59.0",
+ "windows-sys 0.60.2",
 ]

 [[package]]
@@ -3413,8 +3408,8 @@ dependencies = [
 "quinn-proto",
 "quinn-udp",
 "rustc-hash",
- "rustls 0.23.28",
- "socket2",
+ "rustls 0.23.29",
+ "socket2 0.5.10",
 "thiserror 2.0.12",
 "tokio",
 "tracing",
@@ -3430,10 +3425,10 @@ dependencies = [
 "bytes",
 "getrandom 0.3.3",
 "lru-slab",
- "rand 0.9.1",
+ "rand 0.9.2",
 "ring",
 "rustc-hash",
- "rustls 0.23.28",
+ "rustls 0.23.29",
 "rustls-pki-types",
 "slab",
 "thiserror 2.0.12",
@@ -3451,7 +3446,7 @@ dependencies = [
 "cfg_aliases",
 "libc",
 "once_cell",
- "socket2",
+ "socket2 0.5.10",
 "tracing",
 "windows-sys 0.59.0",
 ]
@@ -3501,9 +3496,9 @@ dependencies = [

 [[package]]
 name = "rand"
-version = "0.9.1"
+version = "0.9.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9fbfd9d094a40bf3ae768db9361049ace4c0e04a4fd6b359518bd7b73a73dd97"
+checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
 dependencies = [
 "rand_chacha 0.9.0",
 "rand_core 0.9.3",
@@ -3558,9 +3553,9 @@ dependencies = [

 [[package]]
 name = "redox_syscall"
-version = "0.5.13"
+version = "0.5.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0d04b7d0ee6b4a0207a0a7adb104d23ecb0b47d6beae7152d0fa34b692b29fd6"
+checksum = "7e8af0dde094006011e6a740d4879319439489813bd0bcdc7d821beaeeff48ec"
 dependencies = [
 "bitflags",
 ]
@@ -3676,14 +3671,14 @@ dependencies = [
 "sha1",
 "sha2",
 "tokio",
- "toml",
+ "toml 0.8.23",
 ]

 [[package]]
 name = "reqwest"
-version = "0.12.21"
+version = "0.12.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4c8cea6b35bcceb099f30173754403d2eba0a5dc18cea3630fccd88251909288"
+checksum = "cbc931937e6ca3a06e3b6c0aa7841849b160a90351d6ab467a8b9b9959767531"
 dependencies = [
 "async-compression",
 "base64 0.22.1",
@@ -3707,7 +3702,7 @@ dependencies = [
 "percent-encoding",
 "pin-project-lite",
 "quinn",
- "rustls 0.23.28",
+ "rustls 0.23.29",
 "rustls-native-certs",
 "rustls-pki-types",
 "serde",
@@ -3908,13 +3903,12 @@ dependencies = [

 [[package]]
 name = "rust-ini"
-version = "0.21.1"
+version = "0.21.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4e310ef0e1b6eeb79169a1171daf9abcb87a2e17c03bee2c4bb100b55c75409f"
+checksum = "e7295b7ce3bf4806b419dc3420745998b447178b7005e2011947b38fc5aa6791"
 dependencies = [
 "cfg-if",
 "ordered-multimap",
- "trim-in-place",
 ]

 [[package]]
@@ -3940,15 +3934,15 @@ dependencies = [

 [[package]]
 name = "rustix"
-version = "1.0.7"
+version = "1.0.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c71e83d6afe7ff64890ec6b71d6a69bb8a610ab78ce364b3352876bb4c801266"
+checksum = "11181fbabf243db407ef8df94a6ce0b2f9a733bd8be4ad02b4eda9602296cac8"
 dependencies = [
 "bitflags",
 "errno",
 "libc",
 "linux-raw-sys",
- "windows-sys 0.59.0",
+ "windows-sys 0.60.2",
 ]

 [[package]]
@@ -3965,15 +3959,15 @@ dependencies = [

 [[package]]
 name = "rustls"
-version = "0.23.28"
+version = "0.23.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7160e3e10bf4535308537f3c4e1641468cd0e485175d6163087c0393c7d46643"
+checksum = "2491382039b29b9b11ff08b76ff6c97cf287671dbb74f0be44bda389fffe9bd1"
 dependencies = [
 "log",
 "once_cell",
 "ring",
 "rustls-pki-types",
- "rustls-webpki 0.103.3",
+ "rustls-webpki 0.103.4",
 "subtle",
 "zeroize",
 ]
@@ -4021,9 +4015,9 @@ dependencies = [

 [[package]]
 name = "rustls-webpki"
-version = "0.103.3"
+version = "0.103.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e4a72fe2bcf7a6ac6fd7d0b9e5cb68aeb7d4c0a0271730218b3e92d43b4eb435"
+checksum = "0a17884ae0c1b773f1ccd2bd4a8c72f16da897310a98b0e84bf349ad5ead92fc"
 dependencies = [
 "ring",
 "rustls-pki-types",
@@ -4172,9 +4166,9 @@ dependencies = [

 [[package]]
 name = "serde_json"
-version = "1.0.140"
+version = "1.0.141"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "20068b6e96dc6c9bd23e01df8827e6c7e1f2fddd43c21810382803c136b99373"
+checksum = "30b9eff21ebe718216c6ec64e1d9ac57087aad11efc64e32002bce4a0d4c03d3"
 dependencies = [
 "itoa",
 "memchr",
@@ -4191,6 +4185,15 @@ dependencies = [
 "serde",
 ]

+[[package]]
+name = "serde_spanned"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "40734c41988f7306bb04f0ecf60ec0f3f1caa34290e4e8ea471dcd3346483b83"
+dependencies = [
+ "serde",
+]
+
 [[package]]
 name = "serde_urlencoded"
 version = "0.7.1"
@@ -4309,6 +4312,16 @@ dependencies = [
 "windows-sys 0.52.0",
 ]

+[[package]]
+name = "socket2"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "233504af464074f9d066d7b5416c5f9b894a5862a6506e306f7b816cdd6f1807"
+dependencies = [
+ "libc",
+ "windows-sys 0.59.0",
+]
+
 [[package]]
 name = "spin"
 version = "0.9.8"
@@ -4607,18 +4620,20 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"

 [[package]]
 name = "tokio"
-version = "1.45.1"
+version = "1.46.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "75ef51a33ef1da925cea3e4eb122833cb377c61439ca401b770f54902b806779"
+checksum = "0cc3a2344dafbe23a245241fe8b09735b521110d30fcefbbd5feb1797ca35d17"
 dependencies = [
 "backtrace",
 "bytes",
+ "io-uring",
 "libc",
 "mio",
 "parking_lot",
 "pin-project-lite",
 "signal-hook-registry",
- "socket2",
+ "slab",
+ "socket2 0.5.10",
 "tokio-macros",
 "windows-sys 0.52.0",
 ]
@@ -4650,7 +4665,7 @@ version = "0.26.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8e727b36a1a0e8b74c376ac2211e40c2c8af09fb4013c60d910495810f008e9b"
 dependencies = [
- "rustls 0.23.28",
+ "rustls 0.23.29",
 "tokio",
 ]

@@ -4698,11 +4713,26 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "dc1beb996b9d83529a9e75c17a1686767d148d70663143c7854d8b4a09ced362"
 dependencies = [
 "serde",
- "serde_spanned",
- "toml_datetime",
+ "serde_spanned 0.6.9",
+ "toml_datetime 0.6.11",
 "toml_edit",
 ]

+[[package]]
+name = "toml"
+version = "0.9.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed0aee96c12fa71097902e0bb061a5e1ebd766a6636bb605ba401c45c1650eac"
+dependencies = [
+ "indexmap",
+ "serde",
+ "serde_spanned 1.0.0",
+ "toml_datetime 0.7.0",
+ "toml_parser",
+ "toml_writer",
+ "winnow 0.7.12",
+]
+
 [[package]]
 name = "toml_datetime"
 version = "0.6.11"
@@ -4712,6 +4742,15 @@ dependencies = [
 "serde",
 ]

+[[package]]
+name = "toml_datetime"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bade1c3e902f58d73d3f294cd7f20391c1cb2fbcb643b73566bc773971df91e3"
+dependencies = [
+ "serde",
+]
+
 [[package]]
 name = "toml_edit"
 version = "0.22.27"
@@ -4720,10 +4759,19 @@ checksum = "41fe8c660ae4257887cf66394862d21dbca4a6ddd26f04a3560410406a2f819a"
 dependencies = [
 "indexmap",
 "serde",
- "serde_spanned",
- "toml_datetime",
+ "serde_spanned 0.6.9",
+ "toml_datetime 0.6.11",
 "toml_write",
- "winnow 0.7.11",
+ "winnow 0.7.12",
+]
+
+[[package]]
+name = "toml_parser"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97200572db069e74c512a14117b296ba0a80a30123fbbb5aa1f4a348f639ca30"
+dependencies = [
+ "winnow 0.7.12",
 ]

 [[package]]
@@ -4732,6 +4780,12 @@ version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5d99f8c9a7727884afe522e9bd5edbfc91a3312b36a77b5fb8926e4c31a41801"

+[[package]]
+name = "toml_writer"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fcc842091f2def52017664b53082ecbbeb5c7731092bad69d2c63050401dfd64"
+
 [[package]]
 name = "totp-lite"
 version = "2.0.1"
@@ -4851,12 +4905,6 @@ dependencies = [
 "tracing-log",
 ]

-[[package]]
-name = "trim-in-place"
-version = "0.1.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "343e926fc669bc8cde4fa3129ab681c63671bae288b1f1081ceee6d9d37904fc"
-
 [[package]]
 name = "try-lock"
 version = "0.2.5"
@@ -5034,7 +5082,7 @@ dependencies = [
 "pastey",
 "percent-encoding",
 "pico-args",
- "rand 0.9.1",
+ "rand 0.9.2",
 "regex",
 "reqsign",
 "reqwest",
@@ -5238,9 +5286,9 @@ dependencies = [

 [[package]]
 name = "webpki-roots"
-version = "1.0.1"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8782dd5a41a24eed3a4f40b606249b3e236ca61adf1f25ea4d45c73de122b502"
+checksum = "7e8983c3ab33d6fb807cfcdad2491c4ea8cbc8ed839181c7dfd9c67c83e261b2"
 dependencies = [
 "rustls-pki-types",
 ]
@@ -5656,9 +5704,9 @@ dependencies = [

 [[package]]
 name = "winnow"
-version = "0.7.11"
+version = "0.7.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "74c7b26e3480b707944fc872477815d29a8e429d2f93a1ce000f5fa84a15cbcd"
+checksum = "f3edebf492c8125044983378ecb5766203ad3b4c2f7a922bd7dd207f6d443e95"
 dependencies = [
 "memchr",
 ]
@@ -5696,9 +5744,9 @@ checksum = "ea2f10b9bb0928dfb1b42b65e1f9e36f7f54dbdf08457afefb38afcdec4fa2bb"

 [[package]]
 name = "xml-rs"
-version = "0.8.26"
+version = "0.8.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a62ce76d9b56901b19a74f19431b0d8b3bc7ca4ad685a746dfd78ca8f4fc6bda"
+checksum = "6fd8403733700263c6eb89f192880191f1b83e332f7a20371ddcf421c4a337c7"

 [[package]]
 name = "xmlparser"
@@ -5749,7 +5797,7 @@ dependencies = [
 "form_urlencoded",
 "futures",
 "hmac",
- "rand 0.9.1",
+ "rand 0.9.2",
 "reqwest",
 "sha1",
 "threadpool",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -73,15 +73,15 @@ dashmap = "6.1.0"

 # Async futures
 futures = "0.3.31"
-tokio = { version = "1.45.1", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
+tokio = { version = "1.46.1", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
 tokio-util = { version = "0.7.15", features = ["compat"]}

 # A generic serialization/deserialization framework
 serde = { version = "1.0.219", features = ["derive"] }
-serde_json = "1.0.140"
+serde_json = "1.0.141"

 # A safe, extensible ORM and Query builder
-diesel = { version = "2.2.11", features = ["chrono", "r2d2", "numeric"] }
+diesel = { version = "2.2.12", features = ["chrono", "r2d2", "numeric"] }
 diesel_migrations = "2.2.0"
 diesel_logger = { version = "0.4.0", optional = true }

@@ -89,10 +89,10 @@ derive_more = { version = "2.0.1", features = ["from", "into", "as_ref", "deref"
 diesel-derive-newtype = "2.1.2"

 # Bundled/Static SQLite
-libsqlite3-sys = { version = "0.33.0", features = ["bundled"], optional = true }
+libsqlite3-sys = { version = "0.35.0", features = ["bundled"], optional = true }

 # Crypto-related libraries
-rand = "0.9.1"
+rand = "0.9.2"
 ring = "0.17.14"
 subtle = "2.6.1"

@@ -101,7 +101,7 @@ uuid = { version = "1.17.0", features = ["v4"] }

 # Date and time libraries
 chrono = { version = "0.4.41", features = ["clock", "serde"], default-features = false }
-chrono-tz = "0.10.3"
+chrono-tz = "0.10.4"
 time = "0.3.41"

 # Job scheduler
@@ -134,7 +134,7 @@ email_address = "0.2.9"
 handlebars = { version = "6.3.2", features = ["dir_source"] }

 # HTTP client (Used for favicons, version check, DUO and HIBP API)
-reqwest = { version = "0.12.20", features = ["rustls-tls", "rustls-tls-native-roots", "stream", "json", "deflate", "gzip", "brotli", "zstd", "socks", "cookies", "charset", "http2", "system-proxy"], default-features = false}
+reqwest = { version = "0.12.22", features = ["rustls-tls", "rustls-tls-native-roots", "stream", "json", "deflate", "gzip", "brotli", "zstd", "socks", "cookies", "charset", "http2", "system-proxy"], default-features = false}
 hickory-resolver = "0.25.2"

 # Favicon extraction libraries
@@ -145,7 +145,7 @@ bytes = "1.10.1"
 svg-hush = "0.9.5"

 # Cache function results (Used for version check and favicon fetching)
-cached = { version = "0.55.1", features = ["async"] }
+cached = { version = "0.56.0", features = ["async"] }

 # Used for custom short lived cookie jar during favicon extraction
 cookie = "0.18.1"
@@ -180,13 +180,13 @@ rpassword = "7.4.0"
 grass_compiler = { version = "0.13.4", default-features = false }

 # File are accessed through Apache OpenDAL
-opendal = { version = "0.53.3", features = ["services-fs"], default-features = false }
+opendal = { version = "0.54.0", features = ["services-fs"], default-features = false }

 # For retrieving AWS credentials, including temporary SSO credentials
 anyhow = { version = "1.0.98", optional = true }
-aws-config = { version = "1.8.0", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true }
-aws-credential-types = { version = "1.2.3", optional = true }
-aws-smithy-runtime-api = { version = "1.8.1", optional = true }
+aws-config = { version = "1.8.3", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true }
+aws-credential-types = { version = "1.2.4", optional = true }
+aws-smithy-runtime-api = { version = "1.8.5", optional = true }
 http = { version = "1.3.1", optional = true }
 reqsign = { version = "0.16.5", optional = true }

--- a/src/api/admin.rs
+++ b/src/api/admin.rs
@@ -613,6 +613,7 @@ use cached::proc_macro::cached;
 /// Cache this function to prevent API call rate limit. Github only allows 60 requests per hour, and we use 3 here already
 /// It will cache this function for 600 seconds (10 minutes) which should prevent the exhaustion of the rate limit
 /// Any cache will be lost if Vaultwarden is restarted
+use std::time::Duration; // Needed for cached
 #[cached(time = 600, sync_writes = "default")]
 async fn get_release_info(has_http_access: bool) -> (String, String, String) {
    // If the HTTP Check failed, do not even attempt to check for new versions since we were not able to connect with github.com anyway.
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -556,14 +556,45 @@ use super::sends::{update_send_from_data, SendData};
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct KeyData {
+    account_unlock_data: RotateAccountUnlockData,
+    account_keys: RotateAccountKeys,
+    account_data: RotateAccountData,
+    old_master_key_authentication_hash: String,
+}
+
+#[derive(Deserialize)]
+#[serde(rename_all = "camelCase")]
+struct RotateAccountUnlockData {
+    emergency_access_unlock_data: Vec<UpdateEmergencyAccessData>,
+    master_password_unlock_data: MasterPasswordUnlockData,
+    organization_account_recovery_unlock_data: Vec<UpdateResetPasswordData>,
+}
+
+#[derive(Deserialize)]
+#[serde(rename_all = "camelCase")]
+struct MasterPasswordUnlockData {
+    kdf_type: i32,
+    kdf_iterations: i32,
+    kdf_parallelism: Option<i32>,
+    kdf_memory: Option<i32>,
+    email: String,
+    master_key_authentication_hash: String,
+    master_key_encrypted_user_key: String,
+}
+
+#[derive(Deserialize)]
+#[serde(rename_all = "camelCase")]
+struct RotateAccountKeys {
+    user_key_encrypted_account_private_key: String,
+    account_public_key: String,
+}
+
+#[derive(Deserialize)]
+#[serde(rename_all = "camelCase")]
+struct RotateAccountData {
    ciphers: Vec<CipherData>,
    folders: Vec<UpdateFolderData>,
    sends: Vec<SendData>,
-    emergency_access_keys: Vec<UpdateEmergencyAccessData>,
-    reset_password_keys: Vec<UpdateResetPasswordData>,
-    key: String,
-    master_password_hash: String,
-    private_key: String,
 }

 fn validate_keydata(
@@ -573,10 +604,24 @@ fn validate_keydata(
    existing_emergency_access: &[EmergencyAccess],
    existing_memberships: &[Membership],
    existing_sends: &[Send],
+    user: &User,
 ) -> EmptyResult {
+    if user.client_kdf_type != data.account_unlock_data.master_password_unlock_data.kdf_type
+        || user.client_kdf_iter != data.account_unlock_data.master_password_unlock_data.kdf_iterations
+        || user.client_kdf_memory != data.account_unlock_data.master_password_unlock_data.kdf_memory
+        || user.client_kdf_parallelism != data.account_unlock_data.master_password_unlock_data.kdf_parallelism
+        || user.email != data.account_unlock_data.master_password_unlock_data.email
+    {
+        err!("Changing the kdf variant or email is not supported during key rotation");
+    }
+    if user.public_key.as_ref() != Some(&data.account_keys.account_public_key) {
+        err!("Changing the asymmetric keypair is not possible during key rotation")
+    }
+
    // Check that we're correctly rotating all the user's ciphers
    let existing_cipher_ids = existing_ciphers.iter().map(|c| &c.uuid).collect::<HashSet<&CipherId>>();
    let provided_cipher_ids = data
+        .account_data
        .ciphers
        .iter()
        .filter(|c| c.organization_id.is_none())
@@ -588,7 +633,8 @@ fn validate_keydata(

    // Check that we're correctly rotating all the user's folders
    let existing_folder_ids = existing_folders.iter().map(|f| &f.uuid).collect::<HashSet<&FolderId>>();
-    let provided_folder_ids = data.folders.iter().filter_map(|f| f.id.as_ref()).collect::<HashSet<&FolderId>>();
+    let provided_folder_ids =
+        data.account_data.folders.iter().filter_map(|f| f.id.as_ref()).collect::<HashSet<&FolderId>>();
    if !provided_folder_ids.is_superset(&existing_folder_ids) {
        err!("All existing folders must be included in the rotation")
    }
@@ -596,8 +642,12 @@ fn validate_keydata(
    // Check that we're correctly rotating all the user's emergency access keys
    let existing_emergency_access_ids =
        existing_emergency_access.iter().map(|ea| &ea.uuid).collect::<HashSet<&EmergencyAccessId>>();
-    let provided_emergency_access_ids =
-        data.emergency_access_keys.iter().map(|ea| &ea.id).collect::<HashSet<&EmergencyAccessId>>();
+    let provided_emergency_access_ids = data
+        .account_unlock_data
+        .emergency_access_unlock_data
+        .iter()
+        .map(|ea| &ea.id)
+        .collect::<HashSet<&EmergencyAccessId>>();
    if !provided_emergency_access_ids.is_superset(&existing_emergency_access_ids) {
        err!("All existing emergency access keys must be included in the rotation")
    }
@@ -605,15 +655,19 @@ fn validate_keydata(
    // Check that we're correctly rotating all the user's reset password keys
    let existing_reset_password_ids =
        existing_memberships.iter().map(|m| &m.org_uuid).collect::<HashSet<&OrganizationId>>();
-    let provided_reset_password_ids =
-        data.reset_password_keys.iter().map(|rp| &rp.organization_id).collect::<HashSet<&OrganizationId>>();
+    let provided_reset_password_ids = data
+        .account_unlock_data
+        .organization_account_recovery_unlock_data
+        .iter()
+        .map(|rp| &rp.organization_id)
+        .collect::<HashSet<&OrganizationId>>();
    if !provided_reset_password_ids.is_superset(&existing_reset_password_ids) {
        err!("All existing reset password keys must be included in the rotation")
    }

    // Check that we're correctly rotating all the user's sends
    let existing_send_ids = existing_sends.iter().map(|s| &s.uuid).collect::<HashSet<&SendId>>();
-    let provided_send_ids = data.sends.iter().filter_map(|s| s.id.as_ref()).collect::<HashSet<&SendId>>();
+    let provided_send_ids = data.account_data.sends.iter().filter_map(|s| s.id.as_ref()).collect::<HashSet<&SendId>>();
    if !provided_send_ids.is_superset(&existing_send_ids) {
        err!("All existing sends must be included in the rotation")
    }
@@ -621,12 +675,12 @@ fn validate_keydata(
    Ok(())
 }

-#[post("/accounts/key", data = "<data>")]
+#[post("/accounts/key-management/rotate-user-account-keys", data = "<data>")]
 async fn post_rotatekey(data: Json<KeyData>, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
    // TODO: See if we can wrap everything within a SQL Transaction. If something fails it should revert everything.
    let data: KeyData = data.into_inner();

-    if !headers.user.check_valid_password(&data.master_password_hash) {
+    if !headers.user.check_valid_password(&data.old_master_key_authentication_hash) {
        err!("Invalid password")
    }

@@ -634,7 +688,7 @@ async fn post_rotatekey(data: Json<KeyData>, headers: Headers, mut conn: DbConn,
    // Bitwarden does not process the import if there is one item invalid.
    // Since we check for the size of the encrypted note length, we need to do that here to pre-validate it.
    // TODO: See if we can optimize the whole cipher adding/importing and prevent duplicate code and checks.
-    Cipher::validate_cipher_data(&data.ciphers)?;
+    Cipher::validate_cipher_data(&data.account_data.ciphers)?;

    let user_id = &headers.user.uuid;

@@ -655,10 +709,11 @@ async fn post_rotatekey(data: Json<KeyData>, headers: Headers, mut conn: DbConn,
        &existing_emergency_access,
        &existing_memberships,
        &existing_sends,
+        &headers.user,
    )?;

    // Update folder data
-    for folder_data in data.folders {
+    for folder_data in data.account_data.folders {
        // Skip `null` folder id entries.
        // See: https://github.com/bitwarden/clients/issues/8453
        if let Some(folder_id) = folder_data.id {
@@ -672,7 +727,7 @@ async fn post_rotatekey(data: Json<KeyData>, headers: Headers, mut conn: DbConn,
    }

    // Update emergency access data
-    for emergency_access_data in data.emergency_access_keys {
+    for emergency_access_data in data.account_unlock_data.emergency_access_unlock_data {
        let Some(saved_emergency_access) =
            existing_emergency_access.iter_mut().find(|ea| ea.uuid == emergency_access_data.id)
        else {
@@ -684,7 +739,7 @@ async fn post_rotatekey(data: Json<KeyData>, headers: Headers, mut conn: DbConn,
    }

    // Update reset password data
-    for reset_password_data in data.reset_password_keys {
+    for reset_password_data in data.account_unlock_data.organization_account_recovery_unlock_data {
        let Some(membership) =
            existing_memberships.iter_mut().find(|m| m.org_uuid == reset_password_data.organization_id)
        else {
@@ -696,7 +751,7 @@ async fn post_rotatekey(data: Json<KeyData>, headers: Headers, mut conn: DbConn,
    }

    // Update send data
-    for send_data in data.sends {
+    for send_data in data.account_data.sends {
        let Some(send) = existing_sends.iter_mut().find(|s| &s.uuid == send_data.id.as_ref().unwrap()) else {
            err!("Send doesn't exist")
        };
@@ -707,7 +762,7 @@ async fn post_rotatekey(data: Json<KeyData>, headers: Headers, mut conn: DbConn,
    // Update cipher data
    use super::ciphers::update_cipher_from_data;

-    for cipher_data in data.ciphers {
+    for cipher_data in data.account_data.ciphers {
        if cipher_data.organization_id.is_none() {
            let Some(saved_cipher) = existing_ciphers.iter_mut().find(|c| &c.uuid == cipher_data.id.as_ref().unwrap())
            else {
@@ -724,9 +779,13 @@ async fn post_rotatekey(data: Json<KeyData>, headers: Headers, mut conn: DbConn,
    // Update user data
    let mut user = headers.user;

-    user.akey = data.key;
-    user.private_key = Some(data.private_key);
-    user.reset_security_stamp();
+    user.private_key = Some(data.account_keys.user_key_encrypted_account_private_key);
+    user.set_password(
+        &data.account_unlock_data.master_password_unlock_data.master_key_authentication_hash,
+        Some(data.account_unlock_data.master_password_unlock_data.master_key_encrypted_user_key),
+        true,
+        None,
+    );

    let save_result = user.save(&mut conn).await;

--- a/src/api/core/ciphers.rs
+++ b/src/api/core/ciphers.rs
@@ -1924,11 +1924,21 @@ impl CipherSyncData {

        // Generate a HashMap with the collections_uuid as key and the CollectionGroup record
        let user_collections_groups: HashMap<CollectionId, CollectionGroup> = if CONFIG.org_groups_enabled() {
-            CollectionGroup::find_by_user(user_id, conn)
-                .await
-                .into_iter()
-                .map(|collection_group| (collection_group.collections_uuid.clone(), collection_group))
-                .collect()
+            CollectionGroup::find_by_user(user_id, conn).await.into_iter().fold(
+                HashMap::new(),
+                |mut combined_permissions, cg| {
+                    combined_permissions
+                        .entry(cg.collections_uuid.clone())
+                        .and_modify(|existing| {
+                            // Combine permissions: take the most permissive settings.
+                            existing.read_only &= cg.read_only; // false if ANY group allows write
+                            existing.hide_passwords &= cg.hide_passwords; // false if ANY group allows password view
+                            existing.manage |= cg.manage; // true if ANY group allows manage
+                        })
+                        .or_insert(cg);
+                    combined_permissions
+                },
+            )
        } else {
            HashMap::new()
        };
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@@ -726,15 +726,6 @@ async fn delete_organization_collection(
    _delete_organization_collection(&org_id, &col_id, &headers, &mut conn).await
 }

-#[derive(Deserialize, Debug)]
-#[serde(rename_all = "camelCase")]
-struct DeleteCollectionData {
-    #[allow(dead_code)]
-    id: String,
-    #[allow(dead_code)]
-    org_id: OrganizationId,
-}
-
 #[post("/organizations/<org_id>/collections/<col_id>/delete")]
 async fn post_organization_collection_delete(
    org_id: OrganizationId,
--- a/src/db/models/cipher.rs
+++ b/src/db/models/cipher.rs
@@ -609,22 +609,23 @@ impl Cipher {
            let mut rows: Vec<(bool, bool, bool)> = Vec::new();
            if let Some(collections) = cipher_sync_data.cipher_collections.get(&self.uuid) {
                for collection in collections {
-                    //User permissions
+                    // User permissions
                    if let Some(cu) = cipher_sync_data.user_collections.get(collection) {
                        rows.push((cu.read_only, cu.hide_passwords, cu.manage));
-                    }
-
-                    //Group permissions
-                    if let Some(cg) = cipher_sync_data.user_collections_groups.get(collection) {
+                    // Group permissions
+                    } else if let Some(cg) = cipher_sync_data.user_collections_groups.get(collection) {
                        rows.push((cg.read_only, cg.hide_passwords, cg.manage));
                    }
                }
            }
            rows
        } else {
-            let mut access_flags = self.get_user_collections_access_flags(user_uuid, conn).await;
-            access_flags.append(&mut self.get_group_collections_access_flags(user_uuid, conn).await);
-            access_flags
+            let user_permissions = self.get_user_collections_access_flags(user_uuid, conn).await;
+            if !user_permissions.is_empty() {
+                user_permissions
+            } else {
+                self.get_group_collections_access_flags(user_uuid, conn).await
+            }
        };

        if rows.is_empty() {
@@ -633,6 +634,9 @@ impl Cipher {
        }

        // A cipher can be in multiple collections with inconsistent access flags.
+        // Also, user permission overrule group permissions
+        // and only user permissions are returned by the code above.
+        //
        // For example, a cipher could be in one collection where the user has
        // read-only access, but also in another collection where the user has
        // read/write access. For a flag to be in effect for a cipher, upstream
@@ -641,13 +645,15 @@ impl Cipher {
        // and `hide_passwords` columns. This could ideally be done as part of the
        // query, but Diesel doesn't support a min() or bool_and() function on
        // booleans and this behavior isn't portable anyway.
+        //
+        // The only exception is for the `manage` flag, that needs a boolean OR!
        let mut read_only = true;
        let mut hide_passwords = true;
        let mut manage = false;
        for (ro, hp, mn) in rows.iter() {
            read_only &= ro;
            hide_passwords &= hp;
-            manage &= mn;
+            manage |= mn;
        }

        Some((read_only, hide_passwords, manage))
--- a/src/db/models/collection.rs
+++ b/src/db/models/collection.rs
@@ -97,13 +97,13 @@ impl Collection {
                        (
                            cu.read_only,
                            cu.hide_passwords,
-                            cu.manage || (is_manager && !cu.read_only && !cu.hide_passwords),
+                            is_manager && (cu.manage || (!cu.read_only && !cu.hide_passwords)),
                        )
                    } else if let Some(cg) = cipher_sync_data.user_collections_groups.get(&self.uuid) {
                        (
                            cg.read_only,
                            cg.hide_passwords,
-                            cg.manage || (is_manager && !cg.read_only && !cg.hide_passwords),
+                            is_manager && (cg.manage || (!cg.read_only && !cg.hide_passwords)),
                        )
                    } else {
                        (false, false, false)
@@ -114,7 +114,9 @@ impl Collection {
        } else {
            match Membership::find_confirmed_by_user_and_org(user_uuid, &self.org_uuid, conn).await {
                Some(m) if m.has_full_access() => (false, false, m.atype >= MembershipType::Manager),
-                Some(_) if self.is_manageable_by_user(user_uuid, conn).await => (false, false, true),
+                Some(m) if m.atype == MembershipType::Manager && self.is_manageable_by_user(user_uuid, conn).await => {
+                    (false, false, true)
+                }
                Some(m) => {
                    let is_manager = m.atype == MembershipType::Manager;
                    let read_only = !self.is_writable_by_user(user_uuid, conn).await;
--- a/src/static/templates/scss/vaultwarden.scss.hbs
+++ b/src/static/templates/scss/vaultwarden.scss.hbs
@@ -20,6 +20,11 @@ a[href$="/settings/sponsored-families"] {
  @extend %vw-hide;
 }

+/* Hide the sso `Email` input field */
+.vw-email-sso {
+  @extend %vw-hide;
+}
+
 /* Hide the `Enterprise Single Sign-On` button on the login page */
 {{#if (webver ">=2025.5.1")}}
 .vw-sso-login {
@@ -57,6 +62,11 @@ app-root ng-component > form > div:nth-child(1) > div:nth-child(3) > div:nth-chi
 }
 {{/if}}

+/* Hide the `Other` button on the login page */
+.vw-other-login {
+  @extend %vw-hide;
+}
+
 /* Hide Two-Factor menu in Organization settings */
 bit-nav-item[route="settings/two-factor"],
 a[href$="/settings/two-factor"] {
Author	SHA1	Message	Date
Stefan Melmuk	a0198d8d7c	fix account key rotation (#6105 )	2025-07-27 12:18:54 +02:00
Mathijs van Veluw	dfad931dca	Update crates (#6100 ) Updated crates and made adjustments where needed. Also removed a struct which wasn't used and the nightly compiler complained about it. Used pinact to update GitHub Actions. Validated GitHub Actions with zizmor. Signed-off-by: BlackDex <black.dex@gmail.com>	2025-07-26 14:58:39 +02:00
Richy	25865efd79	fix: resolve group permission conflicts with multiple groups (#6017 ) * fix: resolve group permission conflicts with multiple groups When a user belonged to multiple groups with different permissions for the same collection, only the permissions from one group were applied instead of combining them properly. This caused users to see incorrect access levels when initially viewing collection items. The fix combines permissions from all user groups by taking the most permissive settings: - read_only: false if ANY group allows write access - hide_passwords: false if ANY group allows password viewing - manage: true if ANY group allows management This ensures users immediately see the correct permissions when opening collection entries, matching the behavior after editing and saving. * Update src/api/core/ciphers.rs Co-authored-by: Mathijs van Veluw <black.dex@gmail.com> * fix: format * fix: restrict collection manage permissions to managers only Prevent users from getting logged out when they have manage permissions by only allowing manage permissions for MembershipType::Manager and higher roles. * refactor: cipher permission logic to prioritize user access Updated permission checks to return user collection permissions if available, otherwise fallback to group permissions. Clarified comments to indicate user permissions overrule group permissions and corrected the logic for the 'manage' flag to use boolean OR instead of AND. --------- Co-authored-by: Mathijs van Veluw <black.dex@gmail.com>	2025-07-25 20:58:41 +02:00
Mathijs van Veluw	bcf627930e	Adjust issue template to hopefully show better to search for closed and open issues (#6096 )	2025-07-25 18:17:55 +02:00
Timshel	ce70cd2cf4	Hide login form custom fields (#6054 ) Co-authored-by: Timshel <timshel@480s>	2025-07-14 22:01:20 +02:00
Daniel	2ac589d4b4	Fix digest SHA extraction step (#6059 )	2025-07-13 12:20:16 +02:00
Stefan Melmuk	b2e2aef7de	fix hash reference in release.yml (#6058 )	2025-07-13 10:22:33 +02:00
Daniel García	0755bb19c0	Update release.yml (#6057 ) Seems like docker can't use the hash references: https://github.com/dani-garcia/vaultwarden/actions/runs/16242780267/job/45861396226	2025-07-13 01:01:08 +02:00
Mathijs van Veluw	fee0c1c711	Update crates, workflow and issue template (#6056 ) - Updated all the crates, which probably fixes #5959 - Updated all the workflows and tested it with zizmor Also added zizmor as a workflow it self. - Updated the issue template to better mention to search first. Signed-off-by: BlackDex <black.dex@gmail.com>	2025-07-13 00:48:56 +02:00