Bump dependencies to address security issues

Cargo.toml

@@ -11,7 +11,7 @@ resolver = "2"
 
 [workspace.dependencies]
 # internal crates
-defguard_common = { path = "./crates/defguard_common", version = "1.6.3" }
+defguard_common = { path = "./crates/defguard_common", version = "1.6.4" }
 defguard_core = { path = "./crates/defguard_core", version = "0.0.0" }
 defguard_event_logger = { path = "./crates/defguard_event_logger", version = "0.0.0" }
 defguard_event_router = { path = "./crates/defguard_event_router", version = "0.0.0" }
@@ -45,7 +45,7 @@ humantime = "2.1"
 ipnetwork = "0.20"
 jsonwebkey = { version = "0.3", features = ["pkcs-convert"] }
 jsonwebtoken = { version = "10.3", features = ["rust_crypto"] }
-ldap3 = { version = "0.11", default-features = false, features = ["tls"] }
+ldap3 = { version = "0.12", default-features = false, features = ["tls"] }
 lettre = { version = "0.11", features = ["tokio1-native-tls"] }
 matches = "0.1"
 md4 = "0.10"
@@ -54,15 +54,14 @@ openidconnect = { version = "4.0", default-features = false, features = [
 ] }
 parse_link_header = "0.4"
 paste = "1.0"
-pgp = { version = "0.16", default-features = false }
+pgp = { version = "0.19", default-features = false }
 prost = "0.14"
 pulldown-cmark = "0.13"
 # match version used by sqlx
 rand = "0.8"
 reqwest = { version = "0.12", features = ["json"] }
 rsa = "0.9"
-# 0.21.2 causes config parsing errors
-rust-ini = "=0.21.1"
+rust-ini = "0.21"
 semver = { version = "1.0", features = ["serde"] }
 secrecy = { version = "0.10", features = ["serde"] }
 serde = { version = "1.0", features = ["derive"] }

crates/defguard_common/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "defguard_common"
-version = "1.6.3"
+version = "1.6.4"
 edition.workspace = true
 license-file.workspace = true
 homepage.workspace = true
@@ -36,4 +36,4 @@ uuid.workspace = true
 matches.workspace = true
 
 [build-dependencies]
-vergen-git2 = { version = "1.0", features = ["build"] }
+vergen-git2 = { version = "9.1", features = ["build"] }

crates/defguard_core/Cargo.toml

@@ -98,7 +98,7 @@ reqwest = { version = "0.12", features = [
     "rustls-tls",
     "stream",
 ], default-features = false }
-serde_qs = "0.15"
+serde_qs = "1.0"
 tower = "0.5"
 webauthn-authenticator-rs = { version = "0.5", features = ["softpasskey"] }
 

crates/defguard_core/src/enterprise/license.rs

@@ -11,8 +11,8 @@ use defguard_common::{
 };
 use humantime::format_duration;
 use pgp::{
-    composed::{Deserializable, SignedPublicKey, StandaloneSignature},
-    types::{KeyDetails, PublicKeyTrait},
+    composed::{Deserializable, DetachedSignature, SignedPublicKey},
+    types::KeyDetails,
 };
 use prost::Message;
 use sqlx::{PgPool, error::Error as SqlxError};
@@ -269,8 +269,8 @@ impl License {
     }
 
     fn verify_signature(data: &[u8], signature: &[u8]) -> Result<(), LicenseError> {
-        let sig = StandaloneSignature::from_bytes(signature)
-            .map_err(|_| LicenseError::InvalidSignature)?;
+        let sig =
+            DetachedSignature::from_bytes(signature).map_err(|_| LicenseError::InvalidSignature)?;
         let (public_key, _headers_public) =
             SignedPublicKey::from_string(PUBLIC_KEY).expect("Failed to parse the public key");
 
@@ -279,21 +279,21 @@ impl License {
         if public_key.public_subkeys.is_empty() {
             debug!(
                 "Using the public key's primary key {:?} to verify the signature...",
-                public_key.key_id()
+                public_key.legacy_key_id()
             );
             sig.verify(&public_key, data)
                 .map_err(|_| LicenseError::SignatureMismatch)
         } else {
-            let signing_key = public_key
-                .public_subkeys
-                .into_iter()
-                .find(PublicKeyTrait::is_signing_key)
-                .ok_or(LicenseError::LicenseServerError(
-                    "Failed to find a signing key in the provided public key".to_string(),
-                ))?;
+            let signing_key =
+                public_key
+                    .public_subkeys
+                    .first()
+                    .ok_or(LicenseError::LicenseServerError(
+                        "Failed to find a signing key in the provided public key".to_string(),
+                    ))?;
             debug!(
                 "Using the public key's subkey {:?} to verify the signature...",
-                signing_key.key_id()
+                signing_key.legacy_key_id()
             );
             sig.verify(&signing_key, data)
                 .map_err(|_| LicenseError::SignatureMismatch)

e2e/package.json

@@ -15,10 +15,10 @@
     "@eslint/eslintrc": "^3.3.3",
     "@eslint/js": "^9.39.2",
     "@prettier/plugin-oxc": "^0.0.4",
-    "@types/node": "^22.19.8",
+    "@types/node": "^22.19.11",
     "@types/totp-generator": "^0.0.8",
-    "@typescript-eslint/eslint-plugin": "^8.54.0",
-    "@typescript-eslint/parser": "^8.54.0",
+    "@typescript-eslint/eslint-plugin": "^8.56.0",
+    "@typescript-eslint/parser": "^8.56.0",
     "eslint": "^9.39.2",
     "eslint-config-prettier": "^10.1.8",
     "eslint-plugin-import": "^2.32.0",
@@ -28,15 +28,15 @@
   },
   "dependencies": {
     "@faker-js/faker": "^9.9.0",
-    "@playwright/test": "^1.58.1",
+    "@playwright/test": "^1.58.2",
     "@scure/base": "^1.2.6",
     "@types/lodash": "^4.17.23",
     "@types/pg": "^8.16.0",
-    "axios": "^1.13.4",
-    "dotenv": "^17.2.3",
+    "axios": "^1.13.5",
+    "dotenv": "^17.3.1",
     "lodash": "^4.17.23",
     "pg": "^8.18.0",
-    "playwright": "^1.58.1",
+    "playwright": "^1.58.2",
     "totp-generator": "^1.0.0"
   },
   "volta": {