diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 06e4a70e76..a91fbd1f54 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -33,7 +33,7 @@ jobs:
 
       - name: Build binary wheel, source tarball and changelog
         run: |
-          PIP_CONSTRAINT=requirements/build.txt python3 -m build --sdist --wheel --outdir dist/ .
+          python3 -m build --sdist --wheel --outdir dist/ .
           awk "/## $GITHUB_REF_NAME/{flag=1; next} /## v/{flag=0} flag" docs/CHANGELOG.md > changelog
 
       - name: Store build artifacts
diff --git a/pyproject.toml b/pyproject.toml
index f6ce7c3db1..a5c24fc987 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,8 +1,5 @@
 [build-system]
-# Dependabot cannot do `build-system.requires` (dependabot/dependabot-core#8465)
-# workaround to get reproducibility and auto-updates:
-#   PIP_CONSTRAINT=requirements/build.txt python3 -m build ...
-requires = ["hatchling"]
+requires = ["hatchling==1.27.0"]
 build-backend = "hatchling.build"
 
 [project]
diff --git a/requirements/build.txt b/requirements/build.txt
index 1b35b08239..434d7ab023 100644
--- a/requirements/build.txt
+++ b/requirements/build.txt
@@ -1,5 +1,4 @@
 # The build and tox versions specified here are also used as constraints
 # during CI and CD Github workflows
 build==1.2.2.post1
-tox==4.1.2
-hatchling==1.27.0
+tox==4.24.1
diff --git a/requirements/lint.txt b/requirements/lint.txt
index 39d334d4a9..80e2c0c67a 100644
--- a/requirements/lint.txt
+++ b/requirements/lint.txt
@@ -6,7 +6,7 @@
 # Lint tools
 # (We are not so interested in the specific versions of the tools: the versions
 # are pinned to prevent unexpected linting failures when tools update)
-ruff==0.9.6
+ruff==0.9.7
 mypy==1.15.0
 zizmor==1.3.1