diff --git a/service/evaka-bom/build.gradle.kts b/service/evaka-bom/build.gradle.kts
index 04bbd7bde89..c665c527f1c 100644
--- a/service/evaka-bom/build.gradle.kts
+++ b/service/evaka-bom/build.gradle.kts
@@ -10,7 +10,7 @@ dependencies {
     constraints {
         api("ch.qos.logback.access:tomcat:2.0.2")
         api(
-            "org.apache.tomcat:tomcat-catalina:10.1.26"
+            "org.apache.tomcat:tomcat-catalina:10.1.31"
         ) // ch.qos.logback.access:tomcat breaks on runtime without this
         api("com.auth0:java-jwt:4.4.0")
         api("com.github.kagkarlsson:db-scheduler:15.0.0")
@@ -64,7 +64,7 @@ dependencies {
     api(enforcedPlatform("org.eclipse.jetty:jetty-bom:11.0.20"))
     api(platform("org.jdbi:jdbi3-bom:3.47.0"))
     api(platform(libs.kotlin.bom))
-    api(platform("org.junit:junit-bom:5.11.0"))
+    api(platform("org.junit:junit-bom:5.11.3"))
     api(platform(libs.spring.boot.dependencies))
     api(platform("org.springframework:spring-framework-bom:6.1.14")) // only needed for CVE fix
     api(platform("software.amazon.awssdk:bom:2.29.1"))
diff --git a/service/gradle/libs.versions.toml b/service/gradle/libs.versions.toml
index 03d8700bce1..4959b925986 100644
--- a/service/gradle/libs.versions.toml
+++ b/service/gradle/libs.versions.toml
@@ -15,7 +15,7 @@ ktlint = "1.4.0"
 ktlint-gradle = "12.1.0"
 mockito = "5.14.0"
 owasp = "11.1.0"
-spring-boot = "3.3.2"
+spring-boot = "3.3.5"
 versions = "0.51.0"
 
 [libraries]
diff --git a/service/owasp-suppressions.xml b/service/owasp-suppressions.xml
index 179df3a8099..a933da56275 100644
--- a/service/owasp-suppressions.xml
+++ b/service/owasp-suppressions.xml
@@ -7,18 +7,6 @@ SPDX-License-Identifier: LGPL-2.1-or-later
 -->
 
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress>
-        <notes><![CDATA[
-        Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.
-        ]]></notes>
-        <cve>CVE-2023-38286</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Hostname verification is not enabled by default in Netty 4.x. AWS SDK v2 uses Netty 4.x, but explicitly enables hostname verification.
-       ]]></notes>
-        <cve>CVE-2023-4586</cve>
-    </suppress>
     <suppress>
         <notes><![CDATA[
         Misidentification. The checkstyle reporter for Ktlint version x.y is not the same as the actual checkstyle library version x.y.
@@ -30,39 +18,14 @@ SPDX-License-Identifier: LGPL-2.1-or-later
        <notes><![CDATA[
        Misidentification
        ]]></notes>
-       <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/tomcat-jaspic-api@10\.1\.26$</packageUrl>
+       <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/tomcat-jaspic-api@10\.1\.31$</packageUrl>
        <cpe>cpe:/a:apache:tomcat:3.0</cpe>
     </suppress>
     <suppress>
         <notes><![CDATA[
         Misidentification
         ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/tomcat-jsp-api@10\.1\.26$</packageUrl>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/tomcat-jsp-api@10\.1\.31$</packageUrl>
         <cpe>cpe:/a:apache:tomcat:3.1</cpe>
     </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Misidentification: flyway-database-postgresql != postgresql
-       ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.flywaydb/flyway\-database\-postgresql@.*$</packageUrl>
-        <cpe>cpe:/a:postgresql:postgresql</cpe>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        This vulnerability only affects "simple query mode", which is not the default and we don't use it.
-       ]]></notes>
-        <cve>CVE-2024-1597</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Misidentification: Glassfish JAXB library != GlassFish Java EE server
-       ]]></notes>
-        <cve>CVE-2024-9329</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Affects only old Spring versions (5.3.x), and we're already using 6.1.x
-       ]]></notes>
-        <cve>CVE-2024-38828</cve>
-    </suppress>
 </suppressions>