diff --git a/.github/workflows/cve-check.yml b/.github/workflows/cve-check.yml
index de83dc23..bfc8d342 100644
--- a/.github/workflows/cve-check.yml
+++ b/.github/workflows/cve-check.yml
@@ -144,7 +144,7 @@ jobs:
 
       - name: Upload CVE files
         if: failure()
-        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         with:
           name: cves
           path: cve_slack_payload_*.json
diff --git a/.github/workflows/java-ci.yml b/.github/workflows/java-ci.yml
index 22275193..012a4183 100644
--- a/.github/workflows/java-ci.yml
+++ b/.github/workflows/java-ci.yml
@@ -37,7 +37,7 @@ jobs:
           ./gradlew jibDockerBuild &&
           docker run --rm --entrypoint="echo" mongodb-operator:latest 'image is not distroless' && exit 1 || echo 'image is distroless'
 
-      - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
+      - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         if: always()
         with:
           name: java-ci-test-results
diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml
index e567a949..f61e571b 100644
--- a/.github/workflows/publish-docs.yml
+++ b/.github/workflows/publish-docs.yml
@@ -31,7 +31,7 @@ jobs:
         run: mkdocs build --config-file mkdocs.yml && ls -al
       - name: Archive test build
         if: github.event_name == 'pull_request'
-        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         with:
           name: site
           path: |
diff --git a/build.gradle b/build.gradle
index d3d5d388..f518b41e 100644
--- a/build.gradle
+++ b/build.gradle
@@ -45,8 +45,8 @@ jib {
 }
 
 project.ext {
-  mongoDbDriverVersion = "5.1.2"
-  slf4jVersion = "2.0.14"
+  mongoDbDriverVersion = "5.1.3"
+  slf4jVersion = "2.0.16"
   operatorFrameworkVersion = "4.9.2"
   kubernetesServerMockVersion = "6.13.1" // align with transitive dependency of operator framework
   mockitoVersion = "5.2.0"
@@ -101,7 +101,7 @@ dependencies {
     exclude group: "ch.qos.logback", module: "logback-core"
   }
 
-  implementation 'io.micrometer:micrometer-registry-prometheus:1.13.2'
+  implementation 'io.micrometer:micrometer-registry-prometheus:1.13.3'
 
   // test
   testImplementation enforcedPlatform("org.junit:junit-bom:5.10.3")
@@ -115,10 +115,7 @@ dependencies {
   // try to replace local commons-compress management on update!
   testImplementation 'de.flapdoodle.embed:de.flapdoodle.embed.mongo:4.16.2', {
     exclude group: "org.slf4j", module: "slf4j-api"
-    // CVE-2024-25710 + CVE-2024-26308 in transitive version 1.25.0
-    exclude group: "org.apache.commons", module: "commons-compress"
   }
-  testImplementation 'org.apache.commons:commons-compress:1.26.2'
   testImplementation "org.mongodb:mongodb-driver-legacy:${mongoDbDriverVersion}"
   testImplementation "org.mockito:mockito-junit-jupiter:${mockitoVersion}", {
     // conflict of 1.14.1 and 1.14.7 in uk.org.webcompere:system-stubs-jupiter
@@ -131,7 +128,7 @@ dependencies {
     exclude group: 'net.bytebuddy', 'module': 'byte-buddy'
     exclude group: 'net.bytebuddy', 'module': 'byte-buddy-agent'
   }
-  testImplementation 'org.awaitility:awaitility:4.2.1'
+  testImplementation 'org.awaitility:awaitility:4.2.2'
   testImplementation "io.fabric8:kubernetes-server-mock:${kubernetesServerMockVersion}", {
     // self managed to avoid conflicts
     exclude group: "org.slf4j"