diff --git a/Cargo.toml b/Cargo.toml
index a6fb791..341c451 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -30,7 +30,7 @@ serde_bytes = "0.11"
 rmp-serde = { version = "1.3", optional = true }
 
 # High-performance LZ4 compression (optional)
-lz4_flex = { version = "0.12", features = ["frame", "std"], optional = true }
+lz4_flex = { version = "0.13", features = ["frame", "std"], optional = true }
 
 # Fast non-cryptographic hashing for data integrity (optional)
 # xxHash3-64: ~36 GB/s, sufficient for corruption detection (security via AES-GCM auth tag)
@@ -40,13 +40,13 @@ xxhash-rust = { version = "0.8", features = ["xxh3"], optional = true }
 # Uses HKDF-SHA256 for key derivation (NOT Blake2b - that's only for Python cache keys)
 # ring is native-only (see [target.'cfg(not(target_arch = "wasm32"))'.dependencies])
 zeroize = { version = "1.8", features = ["derive"], optional = true }
-hkdf = { version = "0.12", optional = true }
-sha2 = { version = "0.10", optional = true }
-hmac = { version = "0.12", optional = true }
-generic-array = { version = "0.14", optional = true }
+hkdf = { version = "0.13", optional = true }
+sha2 = { version = "0.11", optional = true }
+hmac = { version = "0.13", optional = true }
+generic-array = { version = "1.3", optional = true }
 
 # wasm32 RNG: getrandom with JS feature for wasm32-unknown-unknown targets
-getrandom = { version = "0.2", features = ["js"], optional = true }
+getrandom = { version = "0.4", features = ["js"], optional = true }
 
 # RustCrypto: pure-Rust AES-256-GCM for wasm32 targets (ring requires clang + C asm)
 aes-gcm = { version = "0.10", features = ["zeroize"], optional = true }