diff --git a/apps/desktop/src-tauri/Cargo.lock b/apps/desktop/src-tauri/Cargo.lock
index c50209b..53b4a1f 100644
--- a/apps/desktop/src-tauri/Cargo.lock
+++ b/apps/desktop/src-tauri/Cargo.lock
@@ -3455,9 +3455,9 @@ dependencies = [
  "chrono",
  "criterion",
  "dotenvy",
+ "getrandom 0.3.4",
  "httpmock",
  "keyring",
- "rand 0.9.3",
  "reqwest",
  "rustc-hash",
  "serde",
@@ -3583,7 +3583,7 @@ dependencies = [
  "bytes",
  "getrandom 0.3.4",
  "lru-slab",
- "rand 0.9.3",
+ "rand 0.9.4",
  "ring",
  "rustc-hash",
  "rustls",
@@ -3657,9 +3657,9 @@ dependencies = [
 
 [[package]]
 name = "rand"
-version = "0.9.3"
+version = "0.9.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7ec095654a25171c2124e9e3393a930bddbffdc939556c914957a4c3e0a87166"
+checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea"
 dependencies = [
  "rand_chacha 0.9.0",
  "rand_core 0.9.5",
diff --git a/apps/desktop/src-tauri/Cargo.toml b/apps/desktop/src-tauri/Cargo.toml
index caba9f0..1a773e0 100644
--- a/apps/desktop/src-tauri/Cargo.toml
+++ b/apps/desktop/src-tauri/Cargo.toml
@@ -36,7 +36,7 @@ arc-swap = "1.7"
 rustc-hash = "2.1"
 sha2 = "0.10"
 base64 = "0.22"
-rand = "0.9"
+getrandom = "0.3"
 url = "2"
 
 [dev-dependencies]
diff --git a/apps/desktop/src-tauri/src/oauth_pkce/pkce.rs b/apps/desktop/src-tauri/src/oauth_pkce/pkce.rs
index f533930..f248511 100644
--- a/apps/desktop/src-tauri/src/oauth_pkce/pkce.rs
+++ b/apps/desktop/src-tauri/src/oauth_pkce/pkce.rs
@@ -17,7 +17,6 @@
 
 use base64::engine::general_purpose::URL_SAFE_NO_PAD;
 use base64::Engine;
-use rand::TryRngCore;
 use sha2::{Digest, Sha256};
 
 use super::errors::PkceError;
@@ -39,16 +38,14 @@ pub struct Pkce {
 impl Pkce {
     /// Generate a fresh verifier+challenge pair using the OS RNG.
     ///
-    /// The OS RNG (`rand::rngs::OsRng`, a thin wrapper over `getrandom`)
+    /// The OS RNG (`getrandom::fill`, backed by the platform CSPRNG)
     /// is the only acceptable source: PKCE security relies on the
     /// verifier being unguessable. Userspace PRNGs would not survive
     /// a timing analysis of the SHA-256 challenge round-tripping the
     /// network during the authorization phase.
     pub fn generate() -> Result<Self, PkceError> {
         let mut bytes = [0u8; RANDOM_BYTES];
-        rand::rngs::OsRng
-            .try_fill_bytes(&mut bytes)
-            .map_err(|e| PkceError::Rng(e.to_string()))?;
+        getrandom::fill(&mut bytes).map_err(|e| PkceError::Rng(e.to_string()))?;
         let verifier = URL_SAFE_NO_PAD.encode(bytes);
         let challenge = challenge_for(&verifier);
         Ok(Self {
@@ -66,9 +63,7 @@ pub struct State(pub String);
 impl State {
     pub fn generate() -> Result<Self, PkceError> {
         let mut bytes = [0u8; RANDOM_BYTES];
-        rand::rngs::OsRng
-            .try_fill_bytes(&mut bytes)
-            .map_err(|e| PkceError::Rng(e.to_string()))?;
+        getrandom::fill(&mut bytes).map_err(|e| PkceError::Rng(e.to_string()))?;
         Ok(Self(URL_SAFE_NO_PAD.encode(bytes)))
     }