diff --git a/.bundler-audit.yml b/.bundler-audit.yml
new file mode 100644
index 0000000000..c867b1abf0
--- /dev/null
+++ b/.bundler-audit.yml
@@ -0,0 +1,10 @@
+---
+ignore:
+  # devise-two-factor advisory about brute-forcing TOTP
+  # We have rate-limits on authentication endpoints in place (including second
+  # factor verification) since Mastodon v3.2.0
+  - CVE-2024-0227
+  # devise-two-factor advisory about generated secrets being weaker than expected
+  # We call `generate_otp_secret` ourselves with a requested length of 32 characters,
+  # which exceeds the recommended remediation of 26 characters, so we're safe
+  - CVE-2024-8796
diff --git a/Gemfile.lock b/Gemfile.lock
index 738ca0fd7e..b79d0dad1d 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -290,9 +290,9 @@ GEM
       ruby-progressbar (~> 1.4)
     globalid (1.2.1)
       activesupport (>= 6.1)
-    google-protobuf (3.25.4)
+    google-protobuf (3.25.5)
     googleapis-common-protos-types (1.15.0)
-      google-protobuf (>= 3.18, < 5.a)
+      google-protobuf (>= 3.25.5, < 5.a)
     haml (6.3.0)
       temple (>= 0.8.2)
       thor
@@ -494,7 +494,7 @@ GEM
     opentelemetry-common (0.21.0)
       opentelemetry-api (~> 1.0)
     opentelemetry-exporter-otlp (0.29.0)
-      google-protobuf (>= 3.18)
+      google-protobuf (>= 3.25.5)
       googleapis-common-protos-types (~> 1.3)
       opentelemetry-api (~> 1.1)
       opentelemetry-common (~> 0.20)
@@ -607,7 +607,7 @@ GEM
     psych (5.1.2)
       stringio
     public_suffix (6.0.1)
-    puma (6.4.2)
+    puma (6.4.3)
       nio4r (~> 2.0)
     pundit (2.4.0)
       activesupport (>= 3.0.0)
@@ -892,7 +892,7 @@ GEM
       rack-proxy (>= 0.6.1)
       railties (>= 5.2)
       semantic_range (>= 2.3.0)
-    webrick (1.8.1)
+    webrick (1.8.2)
     websocket (1.2.11)
     websocket-driver (0.7.6)
       websocket-extensions (>= 0.1.0)