diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
index 8c58682..67dd314 100644
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@@ -8,7 +8,10 @@ updates:
     schedule:
       interval: "weekly"
 
-  - package-ecosystem: "docker"
-    directory: "/"
-    schedule:
-      interval: "weekly"
+# It would be nice to keep these up to date,
+# but it's more important to keep versions consistent with the build.
+#
+#  - package-ecosystem: "docker"
+#    directory: "/"
+#    schedule:
+#      interval: "weekly"
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 086b621..d571fc5 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -18,7 +18,7 @@ jobs:
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      - uses: haskell-actions/setup@7398b0c373cccf9ed5dfddae26f77ed02dea4967 # v2.5.3
+      - uses: haskell-actions/setup@75089801accaefd2e8c4a899d6101caa5bdcbc77 # v2.6.0
         with:
           enable-stack: true
 
@@ -49,7 +49,7 @@ jobs:
 
       - name: Upload coverage report
         if: ${{ inputs.coverage }}
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
         with:
           name: coverage-report
           path: ${{ steps.coverage.outputs.report }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 8512a5b..2d36eef 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -34,7 +34,7 @@ jobs:
 
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@e6428a5c4e294a61438ed7f43155db912025b6b3 # v5.2.0
+        uses: docker/metadata-action@31cebacef4805868f9ce9a0cb03ee36c32df2ac4 # v5.3.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
index cce5dee..201d58b 100644
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -45,7 +45,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
         with:
           name: SARIF file
           path: results.sarif
diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml
index 5001ced..bf0047a 100644
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@@ -19,7 +19,7 @@ jobs:
       pull-requests: write
 
     steps:
-    - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0
+    - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
       with:
         days-before-stale: 90
         days-before-close: 30
diff --git a/stack.yaml b/stack.yaml
index f893a28..ae11350 100644
--- a/stack.yaml
+++ b/stack.yaml
@@ -17,9 +17,7 @@
 # https://docs.haskellstack.org/en/stable/yaml_configuration/
 
 # Resolver to choose a 'specific' stackage snapshot or a compiler version.
-# Use a nightly build for now so that we can build an unreleased version
-# of HLint with SARIF support.
-resolver: lts-21.24
+resolver: lts-22.0
 
 # User packages to be built.
 packages:
diff --git a/test/ArgumentsSpec.hs b/test/ArgumentsSpec.hs
index f1b80d9..93cdeb0 100644
--- a/test/ArgumentsSpec.hs
+++ b/test/ArgumentsSpec.hs
@@ -45,22 +45,23 @@ spec = do
         `shouldBe` Nothing
 
     prop "argument must have '=' character" $ \s ->
-      ('=' `notElem` s) ==>
-        validate [s]
-          `shouldSatisfy` isJust
+      ('=' `notElem` s)
+        ==> validate [s]
+        `shouldSatisfy` isJust
 
     prop "argument must not have duplicate keyword" $ \key v v' ->
-      '=' `notElem` key ==> \keyValues ->
-        let otherArgs = map (\(x, y) -> x <> "=" <> y) keyValues
-            args' = [key <> "=" <> v, key <> "=" <> v'] ++ otherArgs
-         in forAll (shuffle args') $ \args ->
-              validate args `shouldSatisfy` isJust
+      '='
+        `notElem` key ==> \keyValues ->
+          let otherArgs = map (\(x, y) -> x <> "=" <> y) keyValues
+              args' = [key <> "=" <> v, key <> "=" <> v'] ++ otherArgs
+           in forAll (shuffle args') $ \args ->
+                validate args `shouldSatisfy` isJust
 
     prop "argument must have explicitly allowed keyword" $ \key v ->
-      ('=' `notElem` key) ==>
-        (key `notElem` ["binary", "path", "hints", "category", "token"]) ==>
-          validate [key <> "=" <> v]
-            `shouldSatisfy` isJust
+      ('=' `notElem` key)
+        ==> (key `notElem` ["binary", "path", "hints", "category", "token"])
+        ==> validate [key <> "=" <> v]
+        `shouldSatisfy` isJust
 
     prop "path may not look like a flag" $ \pathSuffix paths' ->
       forAll (shuffle $ ("-" <> pathSuffix) : paths') $ \paths ->
@@ -115,15 +116,15 @@ spec = do
         && (hints /= "")
         && (category /= "")
         && (token /= "")
-        ==> forAll
-          ( shuffle
-              [ "binary=" <> binary,
-                "path=" <> paths,
-                "hints=" <> hints,
-                "category=" <> category,
-                "token=" <> token
-              ]
-          )
+          ==> forAll
+            ( shuffle
+                [ "binary=" <> binary,
+                  "path=" <> paths,
+                  "hints=" <> hints,
+                  "category=" <> category,
+                  "token=" <> token
+                ]
+            )
         $ \args ->
           translate args
             `shouldBe` ( binary,