diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index f066d26..cea7186 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,4 +1,5 @@
-image: gradle:8.2-jdk11
+default:
+  image: gradle:8.3-jdk11
 
 # Explicit version of the Mergerequests-Pipelines workflow, with the main branch
 # added.
@@ -41,6 +42,8 @@ variables:
 ######## Build stage ########
 build:
   stage: build
+  # slow builds in augusts 2023
+  timeout: 60m
   services:
     - postgres:14
   variables:
diff --git a/build.gradle b/build.gradle
index a5c0101..b982f89 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,6 +1,6 @@
 plugins {
     id 'rpki-ripe-ncc.build-conventions'
-    id 'org.springframework.boot' version '2.7.13'
+    id 'org.springframework.boot' version '2.7.16'
     id 'distribution'
     id 'jacoco'
     id "com.google.cloud.tools.jib" version "3.3.2"
@@ -43,7 +43,7 @@ dependencies {
     implementation "org.thymeleaf:thymeleaf:3.1.1.RELEASE"
     implementation "org.thymeleaf:thymeleaf-spring5:3.1.1.RELEASE"
 
-    implementation platform('io.sentry:sentry-bom:6.24.0')
+    implementation platform('io.sentry:sentry-bom:6.28.0')
     implementation 'io.sentry:sentry-spring-boot-starter'
     implementation 'io.sentry:sentry-logback'
 
@@ -73,7 +73,7 @@ dependencies {
     }
 
     testImplementation 'com.github.tomakehurst:wiremock-jre8:2.35.0'
-    testImplementation 'net.jqwik:jqwik:1.7.3'
+    testImplementation 'net.jqwik:jqwik:1.7.4'
     testImplementation "net.ripe.rpki:rpki-commons:$rpki_commons_version:tests"
     testImplementation 'org.assertj:assertj-core'
 
diff --git a/dependencies.gradle b/dependencies.gradle
index 3930570..ab855f0 100644
--- a/dependencies.gradle
+++ b/dependencies.gradle
@@ -1,4 +1,4 @@
 ext {
-    rpki_commons_version = '1.33'
-    spring_boot_version = '2.7.13'
+    rpki_commons_version = '1.34'
+    spring_boot_version = '2.7.16'
 }
diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar
index 033e24c..7f93135 100644
Binary files a/gradle/wrapper/gradle-wrapper.jar and b/gradle/wrapper/gradle-wrapper.jar differ
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
index 62f495d..ac72c34 100644
--- a/gradle/wrapper/gradle-wrapper.properties
+++ b/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.2-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.3-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
diff --git a/gradlew b/gradlew
index fcb6fca..0adc8e1 100755
--- a/gradlew
+++ b/gradlew
@@ -83,7 +83,8 @@ done
 # This is normally unused
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
-APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
+# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
+APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
diff --git a/renovate.json b/renovate.json
index ca303e1..c238cb0 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,5 +1,6 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "dependencyDashboard": true,
   "packageRules": [
     {
       "managers": ["maven"],
diff --git a/src/main/java/net/ripe/rpki/services/impl/background/PublicRepositoryPublicationServiceBean.java b/src/main/java/net/ripe/rpki/services/impl/background/PublicRepositoryPublicationServiceBean.java
index b214939..967f99b 100644
--- a/src/main/java/net/ripe/rpki/services/impl/background/PublicRepositoryPublicationServiceBean.java
+++ b/src/main/java/net/ripe/rpki/services/impl/background/PublicRepositoryPublicationServiceBean.java
@@ -23,7 +23,8 @@
 
 /**
  * Updates all needed CRLs and manifests to generate a new, consistent set of published RPKI objects. The update
- * is done inside a single transaction to ensure that no inconsistent set of objects can be published.
+ * is done top-down to ensure that no inconsistent set of objects can be published (parent CAs never issue
+ * certificates that cause child CAs to be invalidated).
  * <p>
  * The actual publishing to RRDP or RSYNC is done in separate background services.
  */
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index e31ea20..1ba1aa5 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -28,7 +28,13 @@ spring:
         driver-class-name: org.postgresql.Driver
         username: certdb
         hikari:
-            maximum-pool-size: 90
+            # use keepalive to ensure there is traffic.
+            #
+            # Do not use a maximum connection lifetime. It does not help, because
+            # recycling ports may not keep the flow alive longer on a firewall
+            keepalive-time: 300000
+            maximum-pool-size: 50
+            connection-timeout: 5000
             transaction-isolation: TRANSACTION_REPEATABLE_READ
     jpa:
         database-platform: org.hibernate.dialect.PostgreSQL10Dialect