diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 44eb831c..b73a5158 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -12,6 +12,8 @@ on:
   schedule:
     - cron: "30 1 * * 1"  # Weekly on Monday
 
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze (python)
@@ -26,15 +28,15 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
         with:
           languages: python
           queries: security-extended
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
         with:
           category: /language:python
diff --git a/pyproject.toml b/pyproject.toml
index 141d6bfd..54a6e22c 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -16,7 +16,7 @@ requires-python = ">=3.13"
 dependencies = [
     "numpy>=1.24.3",
     "scipy>=1.10.1",
-    "scikit-learn>=1.3.0",
+    "scikit-learn>=1.5.0",
     # MkDocs dependencies removed — documentation now uses Quarto + quartodoc.
     # Install doc-build tools via: pip install spotoptim[docs]
     # or: pip install -r requirements-docs.txt
diff --git a/uv.lock b/uv.lock
index b7864c09..17e0b664 100644
--- a/uv.lock
+++ b/uv.lock
@@ -2795,7 +2795,7 @@ wheels = [
 
 [[package]]
 name = "spotoptim"
-version = "0.8.0"
+version = "0.10.0"
 source = { editable = "." }
 dependencies = [
     { name = "black" },