diff --git a/lemonldap-ng.spec b/lemonldap-ng.spec
index 8a6a597b55a45fa88d9d2547e07aaeb74af564a4..39216519694230fb5aba35c2de5b415dfe303743 100644
--- a/lemonldap-ng.spec
+++ b/lemonldap-ng.spec
@@ -23,8 +23,8 @@
 
 
 Name:           lemonldap-ng
-Version:        2.20.1
-Release:        2%{?dist}
+Version:        2.22.1
+Release:        1%{?dist}
 Summary:        Web Single Sign On (SSO) and Access Management
 License:        GPL-2.0-or-later AND MIT AND GPL-3.0-or-later AND OFL-1.1-RFN
 URL:            https://lemonldap-ng.org
@@ -67,6 +67,7 @@ BuildRequires:  perl(Crypt::OpenSSL::X509)
 BuildRequires:  perl(Crypt::Rijndael)
 BuildRequires:  perl(Crypt::URandom)
 BuildRequires:  perl(Data::Dumper)
+BuildRequires:  perl(Data::Password::zxcvbn)
 BuildRequires:  perl(Date::Parse)
 BuildRequires:  perl(DateTime::Format::RFC3339)
 BuildRequires:  perl(DBI)
@@ -84,11 +85,13 @@ BuildRequires:  perl(feature)
 BuildRequires:  perl(fields)
 BuildRequires:  perl(File::Temp)
 BuildRequires:  perl(GD::SecurityImage)
+BuildRequires:  perl(GeoIP2::Database::Reader)
 BuildRequires:  perl(GSSAPI)
 BuildRequires:  perl(Hash::Merge::Simple)
 BuildRequires:  perl(HTML::Entities)
 BuildRequires:  perl(HTML::FormatText::WithLinks)
 BuildRequires:  perl(HTML::Template)
+BuildRequires:  perl(HTTP::BrowserDetect)
 BuildRequires:  perl(HTTP::Headers)
 BuildRequires:  perl(HTTP::Request)
 BuildRequires:  perl(IO::Select)
@@ -126,6 +129,7 @@ BuildRequires:  perl(Regexp::Assemble)
 BuildRequires:  perl(Regexp::Common)
 BuildRequires:  perl(Safe)
 BuildRequires:  perl(Scalar::Util)
+BuildRequires:  perl(Sentry::Raven)
 BuildRequires:  perl(SOAP::Lite)
 BuildRequires:  perl(SOAP::Transport::HTTP)
 BuildRequires:  perl(strict)
@@ -140,17 +144,20 @@ BuildRequires:  perl(URI::QueryParam)
 BuildRequires:  perl(URI::URL)
 BuildRequires:  perl(utf8)
 BuildRequires:  perl(warnings)
+BuildRequires:  perl(Web::ID)
 BuildRequires:  perl(XML::LibXML)
 BuildRequires:  perl(XML::LibXSLT)
 BuildRequires:  perl(YAML)
 # Runtime
 BuildRequires:  perl(Apache::Session::Browseable)
 BuildRequires:  perl(Apache::Session::Lock::File)
+BuildRequires:  perl(Authen::WebAuthn)
 BuildRequires:  perl(CGI::Compile)
 BuildRequires:  perl(CGI::Emulate::PSGI)
 BuildRequires:  perl(Crypt::PK::ECC)
 BuildRequires:  perl(Cwd)
 BuildRequires:  perl(Email::Address)
+BuildRequires:  perl(Email::Address::XS)
 BuildRequires:  perl(English)
 BuildRequires:  perl(FCGI::ProcManager)
 BuildRequires:  perl(File::Compare)
@@ -170,6 +177,7 @@ BuildRequires:  perl(Plack::Handler::FCGI)
 BuildRequires:  perl(Pod::Usage)
 BuildRequires:  perl(Storable)
 BuildRequires:  perl(threads::shared)
+BuildRequires:  perl(WWW::Form::UrlEncoded)
 BuildRequires:  perl(XML::Simple)
 # Tests
 BuildRequires:  perl(Apache::Session::File)
@@ -218,7 +226,7 @@ Requires:        (%{name}-selinux = %{version}-%{release} if selinux-policy-%{se
 
 
 %{?perl_default_filter}
-%global __requires_exclude perl\\(Apache2::|perl\\(APR::Table\\)
+%global __requires_exclude perl\\(Apache2::|perl\\(APR::Table\\)|perl\\(Protocol::WebSocket
 
 
 %description
@@ -366,7 +374,7 @@ into Lemonldap::NG's SSOaaS service.
     STORAGECONFFILE=%{lm_storagefile} \
     DATADIR=%{lm_vardir} \
     CACHEDIR=%{lm_cachedir} \
-    PERLOPTIONS="INSTALLDIRS=vendor"
+    PERLOPTIONS="INSTALLDIRS=vendor NO_PACKLIST=1 NO_PERLLOCAL=1"
 %make_build
 
 %if 0%{?with_selinux}
@@ -409,20 +417,12 @@ bzip2 -9 %{modulename}.pp
     LLNGAPPDIR=%{lm_sharedir}/llng-server \
     CHOWN=/usr/bin/true \
     CHGRP=/usr/bin/true \
+    WITHRC=no \
     PROD=yes
 
-find %{buildroot} -name .packlist -exec rm -f {} \;
-find %{buildroot} -name perllocal.pod -exec rm -f {} \;
-find %{buildroot} -name *.bak -exec rm -f {} \;
-
-rm -f %{buildroot}%{_sysconfdir}/init.d/llng-fastcgi-server
-
 mkdir -p %{buildroot}%{_sysconfdir}/uwsgi/apps-available
 mkdir -p %{buildroot}%{lm_sharedir}/llng-server
 
-rm -f %{buildroot}%{_sysconfdir}/cron.d/lemonldap-ng-handler
-rm -f %{buildroot}%{_sysconfdir}/cron.d/lemonldap-ng-portal
-
 mkdir -p %{buildroot}%{_presetdir}
 install -p -m 0644 lemonldap-ng-handler/scripts/lemonldap-ng-handler.preset \
   %{buildroot}%{_presetdir}/10-lemonldap-ng-handler.preset
@@ -488,6 +488,10 @@ if [ $1 -eq 1 ] ; then
     find %{apache_confdir} -name 'z-lemonldap-ng*.conf' \
         -type l -delete 2>&1 > /dev/null || :
 fi
+%systemd_preun lemonldap-ng-rotateOidcKeys.timer
+
+%postun common
+%systemd_postun lemonldap-ng-rotateOidcKeys.timer
 
 %post fastcgi-server
 %systemd_post llng-fastcgi-server.service
@@ -499,30 +503,24 @@ fi
 %systemd_postun_with_restart llng-fastcgi-server.service
 
 %post portal
-%systemd_post lemonldap-ng-portal.service
-if [ $1 -gt 1 ] ; then
-  systemctl preset lemonldap-ng-portal.timer || :
-  systemctl start lemonldap-ng-portal.timer || :
-fi
+%systemd_post lemonldap-ng-portal.timer
+systemctl start lemonldap-ng-portal.timer || :
 
 %preun portal
-%systemd_preun lemonldap-ng-portal.service
+%systemd_preun lemonldap-ng-portal.timer
 
 %postun portal
-%systemd_postun lemonldap-ng-portal.service
+%systemd_postun lemonldap-ng-portal.timer
 
 %post handler
-%systemd_post lemonldap-ng-handler.service
-if [ $1 -gt 1 ] ; then
-  systemctl preset lemonldap-ng-handler.timer || :
-  systemctl start lemonldap-ng-handler.timer || :
-fi
+%systemd_post lemonldap-ng-handler.timer
+systemctl start lemonldap-ng-handler.timer || :
 
 %preun handler
-%systemd_preun lemonldap-ng-handler.service
+%systemd_preun lemonldap-ng-handler.timer
 
 %postun handler
-%systemd_postun lemonldap-ng-handler.service
+%systemd_postun lemonldap-ng-handler.timer
 
 %if 0%{?with_selinux}
 %pre selinux
@@ -549,11 +547,14 @@ fi
 %license COPYING LICENSE
 %dir %{lm_confdir}
 %config(noreplace) %attr(640,root,%{lm_apachegroup}) %{lm_storagefile}
+%{_unitdir}/lemonldap-ng-rotateOidcKeys.service
+%{_unitdir}/lemonldap-ng-rotateOidcKeys.timer
 %{_mandir}/man1/convertConfig*
 %{_mandir}/man1/convertSessions*
 %{_mandir}/man1/convertToHashSessionStorage*
 %{_mandir}/man1/encryptTotpSecrets*
 %{_mandir}/man1/lemonldap-ng-sessions*
+%{_mandir}/man1/rotateOidcKeys*
 %dir %{_libexecdir}/%{name}
 %dir %{lm_sbindir}
 %dir %{lm_bindir}
@@ -615,6 +616,7 @@ fi
 %config(noreplace) %{_sysconfdir}/nginx/conf.d/api-nginx.conf
 %{lm_sharedir}/manager
 %{lm_examplesdir}/manager
+%{lm_bindir}/crowdsecBan
 %{lm_bindir}/lmConfigEditor
 %{lm_bindir}/lemonldap-ng-cli
 %{lm_bindir}/llngDeleteSession
@@ -626,6 +628,9 @@ fi
 %{perl_vendorlib}/Lemonldap/NG/Manager/
 
 %files portal
+%{_mandir}/man1/downloadSamlMetadata*
+%{_mandir}/man1/purgeCentralCache*
+%{_mandir}/man1/purgePersistentSessions*
 %{lm_sharedir}/portal
 %{lm_bindir}/purgeCentralCache
 %{lm_bindir}/downloadSamlMetadata
@@ -672,6 +677,10 @@ fi
 
 
 %changelog
+* Wed Dec 3 2025 Anakin Zhang <anakinzhang@tencent.com> - 2.22.1-1
+- [TYPE] security
+- [DESC] upgrade to 2.22.1
+
 * Tue Jun 10 2025 bbrucezhang <bbrucezhang@tencent.com> - 2.20.1-2
 - Rebuilt for loongarch64
 
diff --git a/sources b/sources
index 97a11a07099ac353193f859336a32441854e8908..cea3bfac85e38c665dc6e9e55a0025409e5b69b3 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (lemonldap-ng-2.20.1.tar.gz) = 33b978d63cc9f5d5c7e744669e8662b440c8ec1b63c9e23e9df0fdbd0d6a6853a2825230b0b505792bb337d3c27bda86f53684fccec008394f7fc30792d5dd3b
+SHA512 (lemonldap-ng-2.22.1.tar.gz) = 1057f78c3790669b31033aafef5034a212490ac49cc65d4705e7ac5a886c14df18cc878e2d989e953c6ca99f4f88e78f8964397a901bf57d2574c6b6187de414