diff --git a/third_party/deps.yml b/third_party/deps.yml
index af9e48ebbb..80c2fa109c 100644
--- a/third_party/deps.yml
+++ b/third_party/deps.yml
@@ -33,6 +33,7 @@ dependencies:
   - openssl=3.1.1
   - pkg-config=0.29.2
   - rhash=1.4.3
+  # don't upgrade xz utils due to CVE-2024-3094
   - xz=5.2.6
   - zlib=1.2.13
   - zstd=1.5.2
diff --git a/third_party/requirements.txt b/third_party/requirements.txt
index e2bb3bdcd3..0211d29d6b 100644
--- a/third_party/requirements.txt
+++ b/third_party/requirements.txt
@@ -12,10 +12,10 @@ docutils==0.15.2
 exhale==0.3.0
 idna==2.8
 imagesize==1.1.0
-Jinja2==2.11.3
+Jinja2==3.1.3
 lxml==4.9.3
 Mako==1.3.0
-MarkupSafe==1.1.1
+MarkupSafe==2.1.5
 packaging==19.2
 Pygments==2.17.2
 pyparsing==2.4.5