diff --git a/.devcontainer/Dockerfile.conan b/.devcontainer/Dockerfile.conan
index 44b0dfdff4..05f6ae27fa 100644
--- a/.devcontainer/Dockerfile.conan
+++ b/.devcontainer/Dockerfile.conan
@@ -1,6 +1,6 @@
 # Copyright The OpenTelemetry Authors
 # SPDX-License-Identifier: Apache-2.0
-FROM ubuntu:24.04
+FROM ubuntu:24.04@sha256:1e622c5f073b4f6bfad6632f2616c7f59ef256e96fe78bf6a595d1dc4376ac02
 
 RUN apt update && apt install -y \
 	build-essential \
@@ -19,7 +19,7 @@ RUN apt update && apt install -y \
 	libtool \
 	python3-pip
 
-RUN pip install conan --break-system-packages
+RUN pip install "conan==2.15.1" --break-system-packages
 
 ARG USER_UID=1000
 ARG USER_GID=1000
@@ -52,4 +52,4 @@ WORKDIR  /workspaces/opentelemetry-cpp
 
 ENTRYPOINT []
 
-CMD ["/bin/bash"]
\ No newline at end of file
+CMD ["/bin/bash"]
diff --git a/.devcontainer/Dockerfile.dev b/.devcontainer/Dockerfile.dev
index 1d38ce9f21..c0eea6d326 100644
--- a/.devcontainer/Dockerfile.dev
+++ b/.devcontainer/Dockerfile.dev
@@ -47,7 +47,7 @@ ENV IS_CONTAINER_BUILD=true
 
 COPY ./.devcontainer/customize_container.sh /tmp/opentelemetry_cpp/devcontainer/customize_container.sh
 RUN /tmp/opentelemetry_cpp/devcontainer/customize_container.sh
-RUN apt install -y npm && npm install -g markdownlint-cli
+RUN apt install -y npm && npm install -g markdownlint-cli@0.44.0
 
 USER devuser
 
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 77bf0719c1..22ab798173 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -48,7 +48,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # main March 2025
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # main March 2025
         with:
           name: benchmark_results
           path: benchmarks
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c2a36a97d9..a077bc5ca5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -913,7 +913,7 @@ jobs:
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: install markdownlint-cli
-      run: sudo npm install -g markdownlint-cli
+      run: sudo npm install -g markdownlint-cli@0.44.0
 
     - name: run markdownlint
       run: markdownlint .
@@ -982,7 +982,7 @@ jobs:
       - name: install dependencies
         run: |
           sudo apt update && sudo apt install python3-pip
-          sudo pip3 install aiohttp
+          sudo pip3 install aiohttp==3.11.18
       - name: run w3c trace-context test suite
         env:
           SPEC_LEVEL: 1
diff --git a/.github/workflows/cmake_install.yml b/.github/workflows/cmake_install.yml
index ed4411398a..323eb6cebb 100644
--- a/.github/workflows/cmake_install.yml
+++ b/.github/workflows/cmake_install.yml
@@ -209,8 +209,8 @@ jobs:
           submodules: 'recursive'
       - name: Install Conan
         run: |
-          python3 -m pip install --upgrade pip
-          pip install "conan>=2.0,<3"
+          python3 -m pip install pip==25.0.1
+          pip install "conan==2.15.1"
           conan profile detect --force
       - name: Install or build all dependencies with Conan
         run: |
@@ -247,8 +247,8 @@ jobs:
           submodules: 'recursive'
       - name: Install Conan
         run: |
-          python3 -m pip install --upgrade pip
-          pip install "conan>=2.0,<3"
+          python3 -m pip install pip==25.0.1
+          pip install "conan==2.15.1"
           conan profile detect --force
       - name: Install or build all dependencies with Conan
         run: |
diff --git a/.github/workflows/dependencies_image.yml b/.github/workflows/dependencies_image.yml
index 9e5043e91d..ab37ce80ef 100644
--- a/.github/workflows/dependencies_image.yml
+++ b/.github/workflows/dependencies_image.yml
@@ -21,7 +21,7 @@ jobs:
       uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
     -
       name: Build Image
-      uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+      uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
       with:
         builder: ${{ steps.buildx.outputs.name }}
         context: ci/
diff --git a/docker/ubuntuLatest/Dockerfile b/docker/ubuntuLatest/Dockerfile
index f2c69d0a49..ef39e17f09 100644
--- a/docker/ubuntuLatest/Dockerfile
+++ b/docker/ubuntuLatest/Dockerfile
@@ -1,8 +1,9 @@
 # Copyright The OpenTelemetry Authors
 # SPDX-License-Identifier: Apache-2.0
 
-FROM ubuntu:latest
+FROM ubuntu:latest@sha256:1e622c5f073b4f6bfad6632f2616c7f59ef256e96fe78bf6a595d1dc4376ac02
 ENV DEBIAN_FRONTEND=noninteractive
+
 WORKDIR /work
 
 #install grpc and abseil
diff --git a/functional/otlp/Dockerfile b/functional/otlp/Dockerfile
index 8c593ad7e0..99a67b9436 100644
--- a/functional/otlp/Dockerfile
+++ b/functional/otlp/Dockerfile
@@ -1,7 +1,7 @@
 # Copyright The OpenTelemetry Authors
 # SPDX-License-Identifier: Apache-2.0
 
-FROM otel/opentelemetry-collector
+FROM otel/opentelemetry-collector:0.123.0@sha256:c8e36258c1b26927fb7b05c5186b90e9c3d77315efc24f65d6fddec1c14b60b3
 COPY . .
 CMD ["--config", "/otel-cpp/otel-config.yaml"]
 EXPOSE 4317