diff --git a/.github/skills/security-scan-docker-image-scripts/run.sh b/.github/skills/security-scan-docker-image-scripts/run.sh
index fce0146a..b6575084 100755
--- a/.github/skills/security-scan-docker-image-scripts/run.sh
+++ b/.github/skills/security-scan-docker-image-scripts/run.sh
@@ -35,7 +35,7 @@ fi
 # Check Grype
 if ! command -v grype >/dev/null 2>&1; then
     log_error "Grype not found - install from: https://github.com/anchore/grype"
-    log_error "Installation: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.109.0"
+    log_error "Installation: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.109.1"
     error_exit "Grype is required for vulnerability scanning" 2
 fi
 
@@ -50,8 +50,8 @@ SYFT_INSTALLED_VERSION=$(syft version | grep -oP 'Version:\s*\Kv?[0-9]+\.[0-9]+\
 GRYPE_INSTALLED_VERSION=$(grype version | grep -oP 'Version:\s*\Kv?[0-9]+\.[0-9]+\.[0-9]+' | head -1 || echo "unknown")
 
 # Set defaults matching CI workflow
-set_default_env "SYFT_VERSION" "v1.42.1"
-set_default_env "GRYPE_VERSION" "v0.109.0"
+set_default_env "SYFT_VERSION" "v1.42.2"
+set_default_env "GRYPE_VERSION" "v0.109.1"
 set_default_env "IMAGE_TAG" "charon:local"
 set_default_env "FAIL_ON_SEVERITY" "Critical,High"
 
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 41ba0ba0..926f621a 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -574,7 +574,7 @@ jobs:
       # Generate SBOM (Software Bill of Materials) for supply chain security
       # Only for production builds (main/development) - feature branches use downstream supply-chain-pr.yml
       - name: Generate SBOM
-        uses: anchore/sbom-action@17ae1740179002c89186b61233e0f892c3118b11 # v0.23.0
+        uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
         if: env.TRIGGER_EVENT != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.skip.outputs.is_feature_push != 'true'
         with:
           image: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml
index e20329ed..9fbade4c 100644
--- a/.github/workflows/nightly-build.yml
+++ b/.github/workflows/nightly-build.yml
@@ -263,7 +263,7 @@ jobs:
       - name: Generate SBOM
         id: sbom_primary
         continue-on-error: true
-        uses: anchore/sbom-action@17ae1740179002c89186b61233e0f892c3118b11  # v0.23.0
+        uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d  # v0.23.1
         with:
           image: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.resolve_digest.outputs.digest }}
           format: cyclonedx-json
@@ -282,7 +282,7 @@ jobs:
 
           echo "Primary SBOM generation failed or produced missing/invalid output; using deterministic Syft fallback"
 
-          SYFT_VERSION="v1.42.1"
+          SYFT_VERSION="v1.42.2"
           OS="$(uname -s | tr '[:upper:]' '[:lower:]')"
           ARCH="$(uname -m)"
           case "$ARCH" in
diff --git a/.github/workflows/security-pr.yml b/.github/workflows/security-pr.yml
index 78861fa6..be029800 100644
--- a/.github/workflows/security-pr.yml
+++ b/.github/workflows/security-pr.yml
@@ -385,7 +385,7 @@ jobs:
       - name: Upload Trivy SARIF to GitHub Security
         if: always() && steps.trivy-sarif-check.outputs.exists == 'true'
         # github/codeql-action v4
-        uses: github/codeql-action/upload-sarif@babab88e549fbc29e9b0058b5d63e2817a135c17
+        uses: github/codeql-action/upload-sarif@87c3b7b6a14ce5c8aa319c102325e8c2a85d7cd5
         with:
           sarif_file: 'trivy-binary-results.sarif'
           category: ${{ steps.pr-info.outputs.is_push == 'true' && format('security-scan-{0}', github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.ref_name) || format('security-scan-pr-{0}', steps.pr-info.outputs.pr_number) }}
diff --git a/.github/workflows/supply-chain-pr.yml b/.github/workflows/supply-chain-pr.yml
index 94f31603..f4a8a3fa 100644
--- a/.github/workflows/supply-chain-pr.yml
+++ b/.github/workflows/supply-chain-pr.yml
@@ -266,7 +266,7 @@ jobs:
       # Generate SBOM using official Anchore action (auto-updated by Renovate)
       - name: Generate SBOM
         if: steps.set-target.outputs.image_name != ''
-        uses: anchore/sbom-action@17ae1740179002c89186b61233e0f892c3118b11 # v0.23.0
+        uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
         id: sbom
         with:
           image: ${{ steps.set-target.outputs.image_name }}
@@ -285,7 +285,7 @@ jobs:
       - name: Install Grype
         if: steps.set-target.outputs.image_name != ''
         run: |
-          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.109.0
+          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.109.1
 
       - name: Scan for vulnerabilities
         if: steps.set-target.outputs.image_name != ''
diff --git a/.github/workflows/supply-chain-verify.yml b/.github/workflows/supply-chain-verify.yml
index fa24ee8b..81c1d7fc 100644
--- a/.github/workflows/supply-chain-verify.yml
+++ b/.github/workflows/supply-chain-verify.yml
@@ -119,7 +119,7 @@ jobs:
       # Generate SBOM using official Anchore action (auto-updated by Renovate)
       - name: Generate and Verify SBOM
         if: steps.image-check.outputs.exists == 'true'
-        uses: anchore/sbom-action@17ae1740179002c89186b61233e0f892c3118b11 # v0.23.0
+        uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
         with:
           image: ghcr.io/${{ github.repository_owner }}/charon:${{ steps.tag.outputs.tag }}
           format: cyclonedx-json
diff --git a/Dockerfile b/Dockerfile
index 995e9316..3b4a5e18 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -39,7 +39,7 @@ ARG CADDY_CANDIDATE_VERSION=2.11.2
 ARG CADDY_USE_CANDIDATE=0
 ARG CADDY_PATCH_SCENARIO=B
 # renovate: datasource=go depName=github.com/greenpau/caddy-security
-ARG CADDY_SECURITY_VERSION=1.1.44
+ARG CADDY_SECURITY_VERSION=1.1.45
 # renovate: datasource=go depName=github.com/corazawaf/coraza-caddy
 ARG CORAZA_CADDY_VERSION=2.2.0
 ## When an official caddy image tag isn't available on the host, use a
diff --git a/frontend/package-lock.json b/frontend/package-lock.json
index 5ad07b42..80947993 100644
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -34,14 +34,14 @@
       "devDependencies": {
         "@eslint/css": "^0.14.1",
         "@eslint/js": "^9.39.3 <10.0.0",
-        "@eslint/json": "^1.0.1",
+        "@eslint/json": "^1.1.0",
         "@eslint/markdown": "^7.5.1",
         "@playwright/test": "^1.58.2",
         "@tailwindcss/postcss": "^4.2.1",
         "@testing-library/jest-dom": "^6.9.1",
         "@testing-library/react": "^16.3.2",
         "@testing-library/user-event": "^14.6.1",
-        "@types/node": "^25.3.5",
+        "@types/node": "^25.4.0",
         "@types/react": "^19.2.14",
         "@types/react-dom": "^19.2.3",
         "@typescript-eslint/eslint-plugin": "^8.57.0",
@@ -1300,14 +1300,14 @@
       }
     },
     "node_modules/@eslint/json": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/@eslint/json/-/json-1.0.1.tgz",
-      "integrity": "sha512-bE2nGv8/U+uRvQEJWOgCsZCa65XsCBgxyyx/sXtTHVv0kqdauACLzyp7A1C3yNn7pRaWjIt5acxY+TAbSyIJXw==",
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@eslint/json/-/json-1.1.0.tgz",
+      "integrity": "sha512-noH9FUYqyhZSDf3Yq5HswsjDH/MWJAatMooWwT5YgQ0XHMekoFc/iyEufP+7kD1kaOj9qwFiXySqHsKii3zmlw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@eslint/core": "^1.1.0",
-        "@eslint/plugin-kit": "^0.6.0",
+        "@eslint/core": "^1.1.1",
+        "@eslint/plugin-kit": "^0.6.1",
         "@humanwhocodes/momoa": "^3.3.10",
         "natural-compare": "^1.4.0"
       },
diff --git a/frontend/package.json b/frontend/package.json
index 2c7e548e..b1cc6706 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -53,14 +53,14 @@
   "devDependencies": {
     "@eslint/css": "^0.14.1",
     "@eslint/js": "^9.39.3 <10.0.0",
-    "@eslint/json": "^1.0.1",
+    "@eslint/json": "^1.1.0",
     "@eslint/markdown": "^7.5.1",
     "@playwright/test": "^1.58.2",
     "@tailwindcss/postcss": "^4.2.1",
     "@testing-library/jest-dom": "^6.9.1",
     "@testing-library/react": "^16.3.2",
     "@testing-library/user-event": "^14.6.1",
-    "@types/node": "^25.3.5",
+    "@types/node": "^25.4.0",
     "@types/react": "^19.2.14",
     "@types/react-dom": "^19.2.3",
     "@typescript-eslint/eslint-plugin": "^8.57.0",
diff --git a/package-lock.json b/package-lock.json
index 9ed465e1..cb09a069 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -14,7 +14,7 @@
       "devDependencies": {
         "@bgotink/playwright-coverage": "^0.3.2",
         "@playwright/test": "^1.58.2",
-        "@types/node": "^25.3.5",
+        "@types/node": "^25.4.0",
         "dotenv": "^17.3.1",
         "markdownlint-cli2": "^0.21.0",
         "prettier": "^3.8.1",
diff --git a/package.json b/package.json
index 38bbc333..efd49a73 100644
--- a/package.json
+++ b/package.json
@@ -19,7 +19,7 @@
   "devDependencies": {
     "@bgotink/playwright-coverage": "^0.3.2",
     "@playwright/test": "^1.58.2",
-    "@types/node": "^25.3.5",
+    "@types/node": "^25.4.0",
     "dotenv": "^17.3.1",
     "markdownlint-cli2": "^0.21.0",
     "prettier": "^3.8.1",