diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index cb37e9f..0c587b4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -96,7 +96,7 @@ jobs:
         uses: dtolnay/rust-toolchain@stable
       - uses: Swatinem/rust-cache@v2
       - name: Run cargo deny checks
-        uses: EmbarkStudios/cargo-deny-action@v1
+        uses: EmbarkStudios/cargo-deny-action@v2
         with:
           command: check
 
diff --git a/Cargo.toml b/Cargo.toml
index fb27467..ebbfe07 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -27,59 +27,59 @@ debug = 1
 anyhow = "1.0.75"
 foundations = { version = "4.5.0", path = "./foundations" }
 foundations-macros = { version = "4.5.0", path = "./foundations-macros", default-features = false }
-bindgen = { version = "0.68.1", default-features = false }
+bindgen = { version = "0.71.1", default-features = false }
 cc = "1.0"
 cf-rustracing = "1.1"
-cf-rustracing-jaeger = "1.1"
+cf-rustracing-jaeger = "1.2"
 clap = "4.4"
-darling = "0.20.10"
-erased-serde = "0.3.28"
-futures-util = "0.3.28"
+darling = "0.20"
+erased-serde = "0.4"
+futures-util = "0.3"
 governor = "0.6"
 hyper = { version = "0.14", default-features = false }
-indexmap = "2.0.0"
-ipnetwork = "0.20"
+indexmap = "2.0"
+ipnetwork = { version = "0.21", features = ["serde"] }
 libc = "0.2"
 once_cell = "1.5"
-tonic = { version = "0.11.0", default-features = false }
-opentelemetry-proto = "0.5.0"
-parking_lot = "0.12.1"
+tonic = { version = "0.11", default-features = false }
+opentelemetry-proto = "0.5"
+parking_lot = "0.12"
 proc-macro2 = { version = "1", default-features = false }
-prometheus = { version = "0.13.3", default-features = false }
-prometheus-client = "0.18.1"
-prometools = "0.2.1"
-rand = "0.8"
-percent-encoding = "2.3.1"
+prometheus = { version = "0.14", default-features = false }
+prometheus-client = "0.18"
+prometools = "0.2"
+rand = "0.9"
+percent-encoding = "2.3"
 quote = "1"
 regex = "1.8"
 reqwest = { version = "0.12", default-features = false }
-socket2 = { version = "0.5.3", features = [ "all" ] }
+socket2 = { version = "0.5", features = [ "all" ] }
 syn = "2"
 serde = "1"
-serde_path_to_error = "0.1.15"
-serde_yaml = "0.8.26"
-serde_with = "3.3.0"
-slab = "0.4.9"
+serde_path_to_error = "0.1"
+serde_yaml = "0.8"
+serde_with = "3.3"
+slab = "0.4"
 slog = "2.7"
 slog-async = "2.3"
 slog-json = "2.3"
 slog-term = "2.4"
 tempfile = "3.7"
-tokio = "1.41.0"
+tokio = "1.41"
 thread_local = "1.1"
-tikv-jemallocator = "0.5"
-tikv-jemalloc-ctl = "0.5"
+tikv-jemallocator = "0.6"
+tikv-jemalloc-ctl = "0.6"
+yaml-merge-keys = { version = "0.5", features = ["serde_yaml"] }
 tracing-slog = "0.3.0"
 tracing-subscriber = "0.3"
-yaml-merge-keys = "0.5"
 
 # needed for minver
-async-stream = "0.3.5"
-local-ip-address = "0.5.7"
-lock_api = "0.4.11"
-log = "0.4.20"
-neli = "0.6.4"
-neli-proc-macros = "0.1.3"
-nix = "0.29.0"
-parking_lot_core = "0.9.9"
-thiserror = "1.0.56"
+async-stream = "0.3"
+local-ip-address = "0.6.5"
+lock_api = "0.4"
+log = "0.4.27"
+neli = "0.6.5"
+neli-proc-macros = "0.1.4"
+nix = "0.30"
+parking_lot_core = "0.9"
+thiserror = "2.0.12"
diff --git a/deny.toml b/deny.toml
index afdab13..6703302 100644
--- a/deny.toml
+++ b/deny.toml
@@ -1,15 +1,13 @@
 [advisories]
-vulnerability = "deny"
-unmaintained = "allow"
-notice = "allow"
-unsound = "deny"
-severity-threshold = "medium"
+unmaintained = "all"
 ignore = [
-    # No fix available, but only applies to Windows, hence not a problem for us.
-    "RUSTSEC-2021-0145",
+    # NOTE: paste which is unmaintained, but
+    # is a dependency of tykv-jemalloc-sys
+    "RUSTSEC-2024-0436",
+    # serde_yaml is unmaintained
+    "RUSTSEC-2024-0320",
 ]
 
-
 [bans]
 deny = [
     # NOTE: `boring`, `ring` or `rustls` crates should be used instead
@@ -24,8 +22,15 @@ unknown-git = "allow"
 allow-git = []
 
 [licenses]
-unlicensed = "allow"
-allow-osi-fsf-free = "either"
-copyleft = "deny"
-allow = ["MPL-2.0"]
+private.ignore = true
+unused-allowed-license = "allow"
+# Licences should be at least osi or fsf-free
+# and not copyleft
+allow = [
+    "MIT",
+    "Apache-2.0",
+    "BSD-3-Clause",
+    "Unicode-3.0",
+    "ISC",
+]
 confidence-threshold = 0.9
diff --git a/foundations/Cargo.toml b/foundations/Cargo.toml
index 831cb65..36e6c9d 100644
--- a/foundations/Cargo.toml
+++ b/foundations/Cargo.toml
@@ -212,7 +212,7 @@ socket2 = { workspace = true, optional = true }
 tracing-slog = { workspace = true, optional = true }
 thread_local = { workspace = true, optional = true }
 tokio = { workspace = true, optional = true, features = ["sync", "rt"] }
-tonic = { workspace = true, optional = true, features = ["channel", "transport"] }
+tonic = { workspace = true, optional = true, features = ["prost", "channel", "transport"] }
 tikv-jemallocator = { workspace = true, optional = true, features = [
     "profiling",
     "stats",
diff --git a/foundations/build.rs b/foundations/build.rs
index 4345ec1..034848f 100644
--- a/foundations/build.rs
+++ b/foundations/build.rs
@@ -24,7 +24,7 @@ fn ensure_seccomp_sources_fetched() {
 #[cfg(feature = "security")]
 mod security {
     use super::*;
-    use bindgen::{Builder, CargoCallbacks};
+    use bindgen::Builder;
     use std::fs;
     use std::path::Path;
 
@@ -175,7 +175,7 @@ mod security {
             .allowlist_var("PR_GET_SECCOMP")
             .allowlist_var("PR_SET_NAME")
             .derive_default(true)
-            .parse_callbacks(Box::new(CargoCallbacks))
+            .parse_callbacks(Box::new(bindgen::CargoCallbacks::new()))
             .generate()
             .unwrap()
             .write_to_file(out_dir.join("security_sys.rs"))
diff --git a/foundations/src/telemetry/tracing/internal.rs b/foundations/src/telemetry/tracing/internal.rs
index 975bf40..13b18b0 100644
--- a/foundations/src/telemetry/tracing/internal.rs
+++ b/foundations/src/telemetry/tracing/internal.rs
@@ -211,5 +211,5 @@ fn should_sample(sampling_ratio: f64) -> bool {
         return true;
     }
 
-    rand::thread_rng().gen_range(0.0..1.0) < sampling_ratio
+    rand::rng().random_range(0.0..1.0) < sampling_ratio
 }
diff --git a/foundations/tests/data/settings_complex.yaml b/foundations/tests/data/settings_complex.yaml
index 9800943..90d6ab6 100644
--- a/foundations/tests/data/settings_complex.yaml
+++ b/foundations/tests/data/settings_complex.yaml
@@ -23,4 +23,4 @@ tls:
   # mTLS
   mtls:
     # Specifies whether mTLS should be enabled for the endpoint.
-    enabled: false
\ No newline at end of file
+    enabled: false
diff --git a/foundations/tests/data/with_option_none.yaml b/foundations/tests/data/with_option_none.yaml
index 4906c1b..354f451 100644
--- a/foundations/tests/data/with_option_none.yaml
+++ b/foundations/tests/data/with_option_none.yaml
@@ -1,3 +1,3 @@
 ---
 # Optional field
-optional: ~
\ No newline at end of file
+optional: ~
diff --git a/foundations/tests/data/with_vec.yaml b/foundations/tests/data/with_vec.yaml
index 30a94f0..321bf6f 100644
--- a/foundations/tests/data/with_vec.yaml
+++ b/foundations/tests/data/with_vec.yaml
@@ -12,4 +12,4 @@ items:
     # multi-line
     # doc comment
     b: 11
-    c: 0
\ No newline at end of file
+    c: 0
diff --git a/foundations/tests/settings.rs b/foundations/tests/settings.rs
index 0ded87c..f88aa02 100644
--- a/foundations/tests/settings.rs
+++ b/foundations/tests/settings.rs
@@ -155,7 +155,7 @@ struct StructWithCrateReexport {
 macro_rules! assert_ser_eq {
     ($obj:expr, $expected:expr) => {
         let actual = to_yaml_string(&$obj).unwrap().trim().to_string();
-        let expected = include_str!($expected);
+        let expected = include_str!($expected).trim();
 
         assert_eq!(
             actual, expected,