diff --git a/Cargo.lock b/Cargo.lock
index 21546e7..3eb9dd5 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1121,7 +1121,7 @@ dependencies = [
  "ratatui",
  "regex",
  "rstest",
- "secrecy",
+ "secrecy 0.10.3",
  "sendmail",
  "serde_json",
  "standardwebhooks",
@@ -1154,7 +1154,7 @@ dependencies = [
  "pike",
  "pretty_assertions",
  "rand",
- "secrecy",
+ "secrecy 0.10.3",
  "serde",
  "serde_json",
  "take-until",
@@ -1175,7 +1175,7 @@ dependencies = [
  "git-next-core",
  "kxio",
  "rand",
- "secrecy",
+ "secrecy 0.10.3",
  "serde",
  "serde_json",
  "tokio",
@@ -1195,7 +1195,7 @@ dependencies = [
  "hmac",
  "kxio",
  "rand",
- "secrecy",
+ "secrecy 0.10.3",
  "serde",
  "serde_json",
  "sha2",
@@ -2611,7 +2611,7 @@ dependencies = [
  "http 1.1.0",
  "path-clean",
  "reqwest",
- "secrecy",
+ "secrecy 0.8.0",
  "serde",
  "serde-xml-rs",
  "serde_json",
@@ -3683,6 +3683,15 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "secrecy"
+version = "0.10.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e891af845473308773346dc847b2c23ee78fe442e0472ac50e22a18a93d3ae5a"
+dependencies = [
+ "zeroize",
+]
+
 [[package]]
 name = "security-framework"
 version = "2.11.1"
diff --git a/Cargo.toml b/Cargo.toml
index 06d769a..36f3adf 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -68,7 +68,7 @@ serde_json = "1.0"
 toml = "0.8"
 
 # Secrets and Password
-secrecy = "0.8"
+secrecy = "0.10"
 
 # Conventional Commit check
 git-conventional = "0.12"
diff --git a/crates/cli/src/server/tests.rs b/crates/cli/src/server/tests.rs
index ca176ca..f1301cf 100644
--- a/crates/cli/src/server/tests.rs
+++ b/crates/cli/src/server/tests.rs
@@ -6,7 +6,7 @@ use git_next_core::{
     ApiToken, ForgeType, GitDir, Hostname, RepoBranches, RepoConfig, RepoConfigSource, RepoPath,
     StoragePathType, User,
 };
-use secrecy::Secret;
+use secrecy::SecretString;
 
 type Result<T> = std::result::Result<T, Box<dyn std::error::Error>>;
 
@@ -59,7 +59,7 @@ fn repo_details_find_default_push_remote_finds_correct_remote() -> Result<()> {
     repo_details.forge = repo_details
         .forge
         .with_user(User::new("git".to_string()))
-        .with_token(ApiToken::new(Secret::new(String::new())))
+        .with_token(ApiToken::new(SecretString::from(String::new())))
         .with_hostname(Hostname::new("git.kemitix.net"));
     repo_details.repo_path = RepoPath::new("kemitix/git-next".to_string());
     let Ok(open_repository) = git::repository::factory::real().open(&repo_details) else {
@@ -95,7 +95,7 @@ fn gitdir_validate_should_pass_a_valid_git_repo() -> Result<()> {
     repo_details.forge = repo_details
         .forge
         .with_user(User::new("git".to_string()))
-        .with_token(ApiToken::new(Secret::new(String::new())))
+        .with_token(ApiToken::new(SecretString::from(String::new())))
         .with_hostname(Hostname::new("git.kemitix.net"));
     tracing::debug!("opening...");
     let Ok(repository) = git::repository::factory::real().open(&repo_details) else {
@@ -129,7 +129,7 @@ fn gitdir_validate_should_fail_a_git_repo_with_wrong_remote() {
     repo_details.forge = repo_details
         .forge
         .with_user(User::new("git".to_string()))
-        .with_token(ApiToken::new(Secret::new(String::new())))
+        .with_token(ApiToken::new(SecretString::from(String::new())))
         .with_hostname(Hostname::new("git.kemitix.net"));
     let Ok(repository) = git::repository::factory::real().open(&repo_details) else {
         // .git directory may not be present on dev environment
diff --git a/crates/core/src/config/api_token.rs b/crates/core/src/config/api_token.rs
index 1c46b1a..2ebae79 100644
--- a/crates/core/src/config/api_token.rs
+++ b/crates/core/src/config/api_token.rs
@@ -2,10 +2,10 @@
 /// `ForgeJo`: <https://{hostname}/user/settings/applications>
 /// `Github`:  <https://github.com/settings/tokens>
 #[derive(Clone, Debug, derive_more::Constructor)]
-pub struct ApiToken(secrecy::Secret<String>);
+pub struct ApiToken(secrecy::SecretString);
 /// The API Token is in effect a password, so it must be explicitly exposed to access its value
-impl secrecy::ExposeSecret<String> for ApiToken {
-    fn expose_secret(&self) -> &String {
+impl secrecy::ExposeSecret<str> for ApiToken {
+    fn expose_secret(&self) -> &str {
         self.0.expose_secret()
     }
 }
diff --git a/crates/core/src/config/server.rs b/crates/core/src/config/server.rs
index 0561303..3c394e1 100644
--- a/crates/core/src/config/server.rs
+++ b/crates/core/src/config/server.rs
@@ -10,7 +10,7 @@ use std::{
 
 use derive_more::{Constructor, Display};
 use kxio::fs::FileSystem;
-use secrecy::Secret;
+use secrecy::SecretString;
 use serde::{Deserialize, Serialize};
 use tracing::info;
 
@@ -242,8 +242,11 @@ impl Shout {
         self.webhook.clone().map(|x| x.url)
     }
 
-    pub fn webhook_secret(&self) -> Option<Secret<String>> {
-        self.webhook.clone().map(|x| x.secret).map(Secret::new)
+    pub fn webhook_secret(&self) -> Option<SecretString> {
+        self.webhook
+            .clone()
+            .map(|x| x.secret)
+            .map(SecretString::from)
     }
 
     #[must_use]
@@ -278,8 +281,8 @@ impl OutboundWebhook {
         self.url.as_ref()
     }
     #[must_use]
-    pub fn secret(&self) -> Secret<String> {
-        Secret::new(self.secret.clone())
+    pub fn secret(&self) -> SecretString {
+        SecretString::from(self.secret.clone())
     }
 }
 
diff --git a/crates/core/src/config/tests.rs b/crates/core/src/config/tests.rs
index 5cc1c84..4271521 100644
--- a/crates/core/src/config/tests.rs
+++ b/crates/core/src/config/tests.rs
@@ -539,7 +539,7 @@ mod server {
             let shout_webhook_url = shout.webhook_url().unwrap_or_default();
             let shout_webhook_secret = shout
                 .webhook_secret()
-                .map(|secret| secret.expose_secret().clone())
+                .map(|secret| secret.expose_secret().to_string())
                 .unwrap_or_default();
             let_assert!(Some(shout_email) = shout.email());
             let shout_email_from = shout_email.from();
diff --git a/crates/core/src/git/repo_details.rs b/crates/core/src/git/repo_details.rs
index ba100ff..9f98cb6 100644
--- a/crates/core/src/git/repo_details.rs
+++ b/crates/core/src/git/repo_details.rs
@@ -11,7 +11,7 @@ use crate::{
 
 use std::sync::{Arc, RwLock};
 
-use secrecy::{ExposeSecret, Secret};
+use secrecy::{ExposeSecret, SecretString};
 use tracing::instrument;
 
 /// The derived information about a repo, used to interact with it
@@ -53,7 +53,7 @@ impl RepoDetails {
             ),
         }
     }
-    pub(crate) fn origin(&self) -> secrecy::Secret<String> {
+    pub(crate) fn origin(&self) -> secrecy::SecretString {
         let repo_details = self;
         let user = &repo_details.forge.user();
         let hostname = &repo_details.forge.hostname();
@@ -78,7 +78,7 @@ impl RepoDetails {
     }
 
     // url is a secret as it contains auth token
-    pub(crate) fn url(&self) -> Secret<String> {
+    pub(crate) fn url(&self) -> SecretString {
         let user = self.forge.user();
         let token = self.forge.token().expose_secret();
         let auth_delim = if token.is_empty() { "" } else { ":" };
diff --git a/crates/core/src/git/repository/factory.rs b/crates/core/src/git/repository/factory.rs
index 31f6edb..c9e6dcb 100644
--- a/crates/core/src/git/repository/factory.rs
+++ b/crates/core/src/git/repository/factory.rs
@@ -60,11 +60,9 @@ impl RepositoryFactory for RealRepositoryFactory {
 
     fn git_clone(&self, repo_details: &RepoDetails) -> Result<Box<dyn OpenRepositoryLike>> {
         tracing::info!("creating");
-        let (gix_repo, _outcome) = gix::prepare_clone_bare(
-            repo_details.origin().expose_secret().as_str(),
-            &*repo_details.gitdir,
-        )?
-        .fetch_only(gix::progress::Discard, &AtomicBool::new(false))?;
+        let (gix_repo, _outcome) =
+            gix::prepare_clone_bare(repo_details.origin().expose_secret(), &*repo_details.gitdir)?
+                .fetch_only(gix::progress::Discard, &AtomicBool::new(false))?;
         tracing::info!("created");
         let repo = RealOpenRepository::new(
             Arc::new(RwLock::new(gix_repo.into())),
diff --git a/crates/core/src/git/repository/open/oreal.rs b/crates/core/src/git/repository/open/oreal.rs
index 578f159..97b3a76 100644
--- a/crates/core/src/git/repository/open/oreal.rs
+++ b/crates/core/src/git/repository/open/oreal.rs
@@ -112,7 +112,7 @@ impl super::OpenRepositoryLike for RealOpenRepository {
             }
         };
         // INFO: never log the command as it contains the API token within the 'origin'
-        let command: secrecy::Secret<String> = format!(
+        let command: secrecy::SecretString = format!(
             "/usr/bin/git push {} {to_commit}:{branch_name} {force}",
             origin.expose_secret()
         )