diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index d483849..4cc7f9b 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -27,7 +27,7 @@ jobs:
           enable-cache: true
 
       - name: Python set up
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version-file: ".python-version"
 
@@ -40,7 +40,7 @@ jobs:
 
       # for SonarQube coverage report
       - name: SonarQube Scan
-        uses: SonarSource/sonarqube-scan-action@v5
+        uses: SonarSource/sonarqube-scan-action@v6
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
diff --git a/.github/workflows/update-pre-commit-hooks.yml b/.github/workflows/update-pre-commit-hooks.yml
index 86266c4..3c559b2 100644
--- a/.github/workflows/update-pre-commit-hooks.yml
+++ b/.github/workflows/update-pre-commit-hooks.yml
@@ -11,12 +11,13 @@ permissions:
 jobs:
   update:
     runs-on: ubuntu-latest
+
     steps:
       - name: Check out repository
         uses: actions/checkout@v5
 
       - name: Python set up
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version-file: ".python-version"
           # pre-commit has its own cache
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 997aa03..ad800eb 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -12,12 +12,12 @@ default_language_version:
 
 exclude: |
   (?x)^(
-    \.vscode/.*|
+    \.vscode/.*
   )$
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
     hooks:
       - id: check-added-large-files
         args: ["--maxkb=500"]
@@ -45,8 +45,6 @@ repos:
       # - id: file-contents-sorter
       #   files: ^(deploy-whitelist.txt|\.gitignore|\.dockerignore)$
       - id: fix-byte-order-marker
-      - id: fix-encoding-pragma
-        args: ["--remove"]
       - id: forbid-new-submodules
       # - id: forbid-submodules
       - id: mixed-line-ending
@@ -63,52 +61,19 @@ repos:
       - id: trailing-whitespace
 
   # ruff
-  - repo: https://github.com/charliermarsh/ruff-pre-commit
-    rev: "v0.11.12"
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.13.1
     hooks:
       - id: ruff
         args: [--fix, --exit-non-zero-on-fix]
       - id: ruff-format
 
   # security
-  - repo: https://github.com/PyCQA/bandit
-    rev: 1.8.3
-    hooks:
-      - id: bandit
-        args: ["--skip", "B101,B404"]
-
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.27.0
+    rev: v8.28.0
     hooks:
       - id: gitleaks
 
-  # - repo: https://github.com/trufflesecurity/truffleHog
-  #   rev: v3.88.4
-  #   hooks:
-  #     - id: trufflehog
-
-  # minor formatting
-  - repo: https://github.com/pre-commit/pygrep-hooks
-    rev: v1.10.0
-    hooks:
-      - id: python-check-blanket-noqa
-      # not, since '# type: ignore' is ok for me
-      # - id: python-check-blanket-type-ignore
-      - id: python-check-mock-methods
-      - id: python-no-eval
-      - id: python-no-log-warn
-      - id: python-use-type-annotations
-      - id: rst-backticks
-      - id: rst-directive-colons
-      - id: rst-inline-touching-normal
-      - id: text-unicode-replacement-char
-
-  # CRLF -> LF
-  - repo: https://github.com/Lucas-C/pre-commit-hooks
-    rev: v1.5.5
-    hooks:
-      - id: remove-crlf
-
   # markdown
   - repo: https://github.com/igorshubovych/markdownlint-cli
     rev: v0.45.0
@@ -118,6 +83,6 @@ repos:
 
   # code spell check via cspell
   - repo: https://github.com/streetsidesoftware/cspell-cli
-    rev: v9.0.1
+    rev: v9.2.0
     hooks:
       - id: cspell