diff --git a/acceptance_tests/poetry.lock b/acceptance_tests/poetry.lock
index adca4ae6..7e45c270 100644
--- a/acceptance_tests/poetry.lock
+++ b/acceptance_tests/poetry.lock
@@ -2116,13 +2116,13 @@ files = [
 
 [[package]]
 name = "urllib3"
-version = "2.0.5"
+version = "2.0.6"
 description = "HTTP library with thread-safe connection pooling, file post, and more."
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "urllib3-2.0.5-py3-none-any.whl", hash = "sha256:ef16afa8ba34a1f989db38e1dbbe0c302e4289a47856990d0682e374563ce35e"},
-    {file = "urllib3-2.0.5.tar.gz", hash = "sha256:13abf37382ea2ce6fb744d4dad67838eec857c9f4f57009891805e0b5e123594"},
+    {file = "urllib3-2.0.6-py3-none-any.whl", hash = "sha256:7a7c7003b000adf9e7ca2a377c9688bbc54ed41b985789ed576570342a375cd2"},
+    {file = "urllib3-2.0.6.tar.gz", hash = "sha256:b19e1a85d206b56d7df1d5e683df4a7725252a964e3993648dd0fb5a1c157564"},
 ]
 
 [package.extras]
@@ -2334,4 +2334,4 @@ test = ["zope.testing"]
 [metadata]
 lock-version = "2.0"
 python-versions = ">=3.9,<3.11"
-content-hash = "79d4939f0ba03c2fb0c98b9944ffc8a8ae88633d2c45f92cdc2c82e813a731f0"
+content-hash = "d5fb9e6cb7775a3675a14bb0949d5106e75b6650ab074a7fcd4d1cf405d35ab1"
diff --git a/acceptance_tests/pyproject.toml b/acceptance_tests/pyproject.toml
index bd1b0381..abb57345 100644
--- a/acceptance_tests/pyproject.toml
+++ b/acceptance_tests/pyproject.toml
@@ -14,3 +14,4 @@ requests = "2.31.0"
 boltons = "23.0.0"
 netifaces = "0.11.0"
 lxml = "4.9.3"
+urllib3 = "2.0.6"
diff --git a/acceptance_tests/requirements.txt b/acceptance_tests/requirements.txt
index d9d1acc6..256a33da 100644
--- a/acceptance_tests/requirements.txt
+++ b/acceptance_tests/requirements.txt
@@ -1,2 +1,3 @@
 poetry==1.6.1
 pip==23.2.1
+certifi>=2023.7.22 # not directly required, pinned by Snyk to avoid a vulnerability
diff --git a/app/poetry.lock b/app/poetry.lock
index dc7d384c..eadbc8f9 100644
--- a/app/poetry.lock
+++ b/app/poetry.lock
@@ -2030,13 +2030,13 @@ files = [
 
 [[package]]
 name = "urllib3"
-version = "2.0.5"
+version = "2.0.6"
 description = "HTTP library with thread-safe connection pooling, file post, and more."
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "urllib3-2.0.5-py3-none-any.whl", hash = "sha256:ef16afa8ba34a1f989db38e1dbbe0c302e4289a47856990d0682e374563ce35e"},
-    {file = "urllib3-2.0.5.tar.gz", hash = "sha256:13abf37382ea2ce6fb744d4dad67838eec857c9f4f57009891805e0b5e123594"},
+    {file = "urllib3-2.0.6-py3-none-any.whl", hash = "sha256:7a7c7003b000adf9e7ca2a377c9688bbc54ed41b985789ed576570342a375cd2"},
+    {file = "urllib3-2.0.6.tar.gz", hash = "sha256:b19e1a85d206b56d7df1d5e683df4a7725252a964e3993648dd0fb5a1c157564"},
 ]
 
 [package.extras]
@@ -2248,4 +2248,4 @@ test = ["zope.testing"]
 [metadata]
 lock-version = "2.0"
 python-versions = ">=3.9,<3.11"
-content-hash = "49bd90bbc21188551094dccccc1bba471c21416e45ca8b3544f4a4d2efe4d3e5"
+content-hash = "1d2f81638da11abfa07b29bac586837559c80451e713e6ee5953acfdd953661b"
diff --git a/app/pyproject.toml b/app/pyproject.toml
index 4ddd10c0..66d5dbba 100644
--- a/app/pyproject.toml
+++ b/app/pyproject.toml
@@ -18,6 +18,7 @@ PyYAML = "6.0.1"
 inotify = "0.2.10"
 c2cwsgiutils = { version = "6.0.4", extras = ["broadcast", "standard", "oauth2", "debug"] }
 pyramid-mako = "1.1.0"
+urllib3 = "2.0.6"
 
 [tool.poetry.dev-dependencies]
 prospector = { extras = ["with_mypy", "with_bandit"], version = "1.10.2" }
diff --git a/app/requirements.txt b/app/requirements.txt
index d9d1acc6..256a33da 100644
--- a/app/requirements.txt
+++ b/app/requirements.txt
@@ -1,2 +1,3 @@
 poetry==1.6.1
 pip==23.2.1
+certifi>=2023.7.22 # not directly required, pinned by Snyk to avoid a vulnerability
diff --git a/ci/requirements.txt b/ci/requirements.txt
index eaf8ca56..01c0c90d 100644
--- a/ci/requirements.txt
+++ b/ci/requirements.txt
@@ -1,2 +1,4 @@
 c2cciutils[checks,publish]==1.6.10
 pre-commit==3.4.0
+certifi>=2023.7.22 # not directly required, pinned by Snyk to avoid a vulnerability
+setuptools>=65.5.1 # not directly required, pinned by Snyk to avoid a vulnerability
diff --git a/requirements.txt b/requirements.txt
index 63179701..f2ea5525 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,2 +1,3 @@
 c2cwsgiutils[broadcast,standard]==6.0.4
 yamllint==1.32.0
+certifi>=2023.7.22 # not directly required, pinned by Snyk to avoid a vulnerability