diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 56f4107..55d5d86 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,13 +11,15 @@ on:
         required: true
         type: string
 
-permissions:
-  contents: write
+# Deny all permissions by default; grant only what each job needs.
+permissions: {}
 
 jobs:
   release:
     name: Create GitHub Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write  # create/update the GitHub Release and read the tagged ref
     env:
       RELEASE_TAG: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.tag || github.ref_name }}
     steps:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index affdf5b..053d15c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Security
+
+- Raised dependency floors to patched releases: `pyarrow >= 14.0.1` (CVE-2023-47248, RCE via unsafe deserialization) and `pydantic >= 2.4.0` (CVE-2024-3772, regex denial of service).
+
 
 ## [0.3.0] - 2026-06-05
 
diff --git a/pyproject.toml b/pyproject.toml
index 0a39531..3d5ab05 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -13,12 +13,12 @@ requires-python = ">=3.9"
 dependencies = [
   "urllib3 (>=2.1.0,<3.0.0)",
   "python-dateutil (>=2.8.2)",
-  "pydantic (>=2)",
+  "pydantic (>=2.4.0)",
   "typing-extensions (>=4.7.1)",
 ]
 
 [project.optional-dependencies]
-arrow = ["pyarrow >= 14"]
+arrow = ["pyarrow >= 14.0.1"]
 
 [project.urls]
 Homepage = "https://www.hotdata.dev"
diff --git a/requirements.txt b/requirements.txt
index 6cbb2b9..fe10bbf 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,4 +1,4 @@
 urllib3 >= 2.1.0, < 3.0.0
 python_dateutil >= 2.8.2
-pydantic >= 2
+pydantic >= 2.4.0
 typing-extensions >= 4.7.1
diff --git a/test-requirements.txt b/test-requirements.txt
index 57f8403..de5ef21 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -7,4 +7,4 @@ mypy >= 1.5
 # pyarrow backs the `arrow` extra. Required here (not just an optional extra) so
 # the arrow integration scenarios actually run in CI instead of silently
 # skipping via importorskip. Keep the floor in sync with pyproject's extra.
-pyarrow >= 14
+pyarrow >= 14.0.1