diff --git a/.github/workflows/cve-check.yml b/.github/workflows/cve-check.yml
index 8062de86..4998e2ac 100644
--- a/.github/workflows/cve-check.yml
+++ b/.github/workflows/cve-check.yml
@@ -41,7 +41,7 @@ jobs:
         run: ./gradlew resolveAndLockAll --write-locks
 
       - name: Check for vulnerabilities
-        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
         id: cve_check
         with:
           scan-type: 'fs'
diff --git a/build.gradle b/build.gradle
index 1a42ce5f..7137c93d 100644
--- a/build.gradle
+++ b/build.gradle
@@ -47,7 +47,7 @@ jib {
 project.ext {
   mongoDbDriverVersion = "5.2.1"
   slf4jVersion = "2.0.16"
-  operatorFrameworkVersion = "4.9.6"
+  operatorFrameworkVersion = "4.9.7"
   kubernetesServerMockVersion = "6.13.4" // align with transitive dependency of operator framework
   mockitoVersion = "5.2.0"
   jacksonVersion = "2.18.1"
@@ -113,8 +113,10 @@ dependencies {
     exclude group: "net.bytebuddy", module: "byte-buddy-agent"
   }
   // try to replace local commons-compress management on update!
-  testImplementation 'de.flapdoodle.embed:de.flapdoodle.embed.mongo:4.18.0', {
+  testImplementation 'de.flapdoodle.embed:de.flapdoodle.embed.mongo:4.18.1', {
     exclude group: "org.slf4j", module: "slf4j-api"
+    // newer version from operator-framework
+    exclude group: "org.apache.commons", module: "commons-lang3"
   }
   testImplementation "org.mongodb:mongodb-driver-legacy:${mongoDbDriverVersion}"
   testImplementation "org.mockito:mockito-junit-jupiter:${mockitoVersion}", {