diff --git a/.erb-lint.yml b/.erb-lint.yml
index 78dd764abf1..5ff53cbe0b2 100644
--- a/.erb-lint.yml
+++ b/.erb-lint.yml
@@ -23,3 +23,5 @@ linters:
         suggestion: 'Rename classes that are known to be hidden by the Hush plugin'
   SpaceAroundErbTag:
     enabled: true
+  CommentSyntax:
+    enabled: true
diff --git a/.rubocop.yml b/.rubocop.yml
index 67cecbea01c..f35456ac4f0 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -636,7 +636,7 @@ Metrics/BlockLength:
   CountComments: false
   Enabled: true
   Max: 25
-  IgnoredMethods:
+  AllowedMethods:
     - Struct.new
     - RedactedStruct.new
   Exclude:
@@ -1080,7 +1080,7 @@ Style/LineEndConcatenation:
 
 Style/MethodCallWithoutArgsParentheses:
   Enabled: true
-  IgnoredMethods: []
+  AllowedMethods: []
 
 Style/MethodDefParentheses:
   Enabled: true
diff --git a/Gemfile b/Gemfile
index ef0dfb4b035..ee122388156 100644
--- a/Gemfile
+++ b/Gemfile
@@ -93,7 +93,7 @@ group :development, :test do
   gem 'bullet', '~> 7.0'
   gem 'capybara-webmock', git: 'https://github.com/hashrocket/capybara-webmock.git', ref: '63d790a0'
   gem 'data_uri', require: false
-  gem 'erb_lint', '~> 0.1.0', require: false
+  gem 'erb_lint', '~> 0.3.0', require: false
   gem 'i18n-tasks', '>= 0.9.31'
   gem 'knapsack'
   gem 'nokogiri', '~> 1.13.10'
@@ -104,9 +104,9 @@ group :development, :test do
   gem 'pry-rails'
   gem 'psych'
   gem 'puma'
-  gem 'rspec-rails', '6.0.0.rc1'
-  gem 'rubocop', '~> 1.29.1', require: false
-  gem 'rubocop-performance', '~> 1.14.0', require: false
+  gem 'rspec-rails', '~> 6.0'
+  gem 'rubocop', '~> 1.42.0', require: false
+  gem 'rubocop-performance', '~> 1.15.0', require: false
   gem 'rubocop-rails', '>= 2.5.2', require: false
 end
 
diff --git a/Gemfile.lock b/Gemfile.lock
index bc0ac93cc05..926b669ed3b 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -177,23 +177,22 @@ GEM
       coderay (>= 1.0.0)
       erubi (>= 1.0.0)
       rack (>= 0.9.0)
-    better_html (1.0.16)
-      actionview (>= 4.0)
-      activesupport (>= 4.0)
+    better_html (2.0.1)
+      actionview (>= 6.0)
+      activesupport (>= 6.0)
       ast (~> 2.0)
       erubi (~> 1.4)
-      html_tokenizer (~> 0.0.6)
       parser (>= 2.4)
       smart_properties
     bindata (2.4.10)
     binding_of_caller (1.0.0)
       debug_inspector (>= 0.0.1)
-    bootsnap (1.9.3)
+    bootsnap (1.9.4)
       msgpack (~> 1.0)
-    brakeman (5.2.1)
+    brakeman (5.4.0)
     browser (5.3.1)
     builder (3.2.4)
-    bullet (7.0.1)
+    bullet (7.0.7)
       activesupport (>= 3.0.0)
       uniform_notifier (~> 1.11)
     bundler-audit (0.9.0.1)
@@ -260,16 +259,15 @@ GEM
       htmlentities (~> 4.3.3)
       launchy (~> 2.1)
       mail (~> 2.7)
-    erb_lint (0.1.1)
+    erb_lint (0.3.1)
       activesupport
-      better_html (~> 1.0.7)
-      html_tokenizer
+      better_html (>= 2.0.1)
       parser (>= 2.7.1.4)
       rainbow
       rubocop
       smart_properties
     errbase (0.2.1)
-    erubi (1.11.0)
+    erubi (1.12.0)
     et-orbi (1.2.7)
       tzinfo
     execjs (2.8.1)
@@ -328,7 +326,6 @@ GEM
     heapy (0.2.0)
       thor
     highline (2.0.3)
-    html_tokenizer (0.0.7)
     htmlbeautifier (1.4.2)
     htmlentities (4.3.4)
     http_accept_language (2.1.1)
@@ -352,6 +349,7 @@ GEM
     jmespath (1.6.1)
     jsbundling-rails (1.0.0)
       railties (>= 6.0.0)
+    json (2.6.3)
     jwe (0.4.0)
     jwt (2.4.1)
     knapsack (4.0.0)
@@ -395,9 +393,9 @@ GEM
     method_source (1.0.0)
     mini_histogram (0.3.1)
     mini_mime (1.1.2)
-    mini_portile2 (2.8.0)
-    minitest (5.16.3)
-    msgpack (1.4.2)
+    mini_portile2 (2.8.1)
+    minitest (5.17.0)
+    msgpack (1.6.0)
     multiset (0.5.3)
     nenv (0.3.0)
     net-imap (0.2.3)
@@ -436,7 +434,7 @@ GEM
     parallel (1.22.1)
     parallel_tests (3.7.3)
       parallel
-    parser (3.1.2.1)
+    parser (3.2.0.0)
       ast (~> 2.4.1)
     pg (1.4.5)
     pg_query (2.2.0)
@@ -467,8 +465,8 @@ GEM
     puma (5.6.4)
       nio4r (~> 2.0)
     raabro (1.4.0)
-    racc (1.6.1)
-    rack (2.2.4)
+    racc (1.6.2)
+    rack (2.2.5)
     rack-attack (6.5.0)
       rack (>= 1.0, < 3)
     rack-cors (1.1.1)
@@ -535,7 +533,7 @@ GEM
     redis-session-store (0.11.4)
       actionpack (>= 3, < 8)
       redis (>= 3, < 5)
-    regexp_parser (2.6.0)
+    regexp_parser (2.6.1)
     reline (0.2.7)
       io-console (~> 0.5)
     request_store (1.5.0)
@@ -557,13 +555,13 @@ GEM
       rspec-mocks (~> 3.11.0)
     rspec-core (3.11.0)
       rspec-support (~> 3.11.0)
-    rspec-expectations (3.11.0)
+    rspec-expectations (3.11.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.11.0)
-    rspec-mocks (3.11.1)
+    rspec-mocks (3.11.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.11.0)
-    rspec-rails (6.0.0.rc1)
+    rspec-rails (6.0.1)
       actionpack (>= 6.1)
       activesupport (>= 6.1)
       railties (>= 6.1)
@@ -573,21 +571,22 @@ GEM
       rspec-support (~> 3.11)
     rspec-retry (0.6.2)
       rspec-core (> 3.3)
-    rspec-support (3.11.0)
+    rspec-support (3.11.1)
     rspec_junit_formatter (0.6.0)
       rspec-core (>= 2, < 4, != 2.12.0)
-    rubocop (1.29.1)
+    rubocop (1.42.0)
+      json (~> 2.3)
       parallel (~> 1.10)
-      parser (>= 3.1.0.0)
+      parser (>= 3.1.2.1)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.17.0, < 2.0)
+      rubocop-ast (>= 1.24.1, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.21.0)
+    rubocop-ast (1.24.1)
       parser (>= 3.1.1.0)
-    rubocop-performance (1.14.3)
+    rubocop-performance (1.15.2)
       rubocop (>= 1.7.0, < 2.0)
       rubocop-ast (>= 0.4.0)
     rubocop-rails (2.12.4)
@@ -664,8 +663,8 @@ GEM
     unf (0.1.4)
       unf_ext
     unf_ext (0.0.8)
-    unicode-display_width (2.3.0)
-    uniform_notifier (1.14.2)
+    unicode-display_width (2.4.0)
+    uniform_notifier (1.16.0)
     uuid (2.3.9)
       macaddr (~> 1.0)
     valid_email (0.1.4)
@@ -747,7 +746,7 @@ DEPENDENCIES
   devise (~> 4.8)
   dotiw (>= 4.0.1)
   email_spec
-  erb_lint (~> 0.1.0)
+  erb_lint (~> 0.3.0)
   factory_bot_rails (>= 6.2.0)
   faker
   faraday (~> 2)
@@ -804,11 +803,11 @@ DEPENDENCIES
   retries
   rotp (~> 6.1)
   rqrcode
-  rspec-rails (= 6.0.0.rc1)
+  rspec-rails (~> 6.0)
   rspec-retry
   rspec_junit_formatter
-  rubocop (~> 1.29.1)
-  rubocop-performance (~> 1.14.0)
+  rubocop (~> 1.42.0)
+  rubocop-performance (~> 1.15.0)
   rubocop-rails (>= 2.5.2)
   ruby-progressbar
   ruby-saml
diff --git a/app/controllers/users/sessions_controller.rb b/app/controllers/users/sessions_controller.rb
index 9819ac4b3e3..2fbe9f03162 100644
--- a/app/controllers/users/sessions_controller.rb
+++ b/app/controllers/users/sessions_controller.rb
@@ -221,7 +221,7 @@ def pending_account_reset_request
       ).call
     end
 
-    LETTERS_AND_DASHES = /\A[a-z0-9\-]+\Z/i
+    LETTERS_AND_DASHES = /\A[a-z0-9-]+\Z/i
 
     def request_id_if_valid
       request_id = (params[:request_id] || sp_session[:request_id]).to_s
diff --git a/config/brakeman.ignore b/config/brakeman.ignore
index 5e8d40af348..7bfec532fb1 100644
--- a/config/brakeman.ignore
+++ b/config/brakeman.ignore
@@ -29,6 +29,9 @@
       },
       "user_input": "params[:step]",
       "confidence": "Weak",
+      "cwe_id": [
+        22
+      ],
       "note": ""
     },
     {
@@ -60,8 +63,34 @@
       },
       "user_input": "params[:step]",
       "confidence": "Weak",
+      "cwe_id": [
+        22
+      ],
       "note": ""
     },
+    {
+      "warning_type": "Weak Cryptography",
+      "warning_code": 126,
+      "fingerprint": "62a8c37ff0f723d2ebbbbf64c443a21632a2dcdc87fd20e6f61c2cec323482d2",
+      "check_name": "WeakRSAKey",
+      "message": "Use of padding mode PKCS1 (default if not specified), which is known to be insecure. Use OAEP instead",
+      "file": "app/services/irs_attempts_api/envelope_encryptor.rb",
+      "line": 19,
+      "link": "https://brakemanscanner.org/docs/warning_types/weak_cryptography/",
+      "code": "OpenSSL::PKey::RSA.new(Base64.strict_decode64(public_key_str)).public_encrypt(OpenSSL::Cipher.new(\"aes-256-cbc\").random_key)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "IrsAttemptsApi::EnvelopeEncryptor",
+        "method": "s(:self).encrypt"
+      },
+      "user_input": null,
+      "confidence": "High",
+      "cwe_id": [
+        780
+      ],
+      "note": "This is necessary due to the parameters of the IRS systems that we integrate with."
+    },
     {
       "warning_type": "Dynamic Render Path",
       "warning_code": 15,
@@ -91,9 +120,12 @@
       },
       "user_input": "params[:step]",
       "confidence": "Weak",
+      "cwe_id": [
+        22
+      ],
       "note": ""
     }
   ],
-  "updated": "2022-07-05 11:19:47 -0400",
-  "brakeman_version": "5.2.0"
+  "updated": "2023-01-03 12:29:54 -0600",
+  "brakeman_version": "5.4.0"
 }
diff --git a/spec/services/encryption/encryptors/pii_encryptor_spec.rb b/spec/services/encryption/encryptors/pii_encryptor_spec.rb
index 1c68f366901..8cc2491e0b8 100644
--- a/spec/services/encryption/encryptors/pii_encryptor_spec.rb
+++ b/spec/services/encryption/encryptors/pii_encryptor_spec.rb
@@ -90,7 +90,7 @@
       kms_client = instance_double(Encryption::KmsClient)
       expect(Encryption::KmsClient).to receive(:new).and_return(kms_client)
       expect(kms_client).to receive(:decrypt).
-        with('kms_ciphertext', 'context' => 'pii-encryption', 'user_uuid' => 'uuid-123-abc').
+        with('kms_ciphertext', { 'context' => 'pii-encryption', 'user_uuid' => 'uuid-123-abc' }).
         and_return('aes_ciphertext')
 
       cipher = instance_double(Encryption::AesCipher)