diff --git a/.cargo/audit.toml b/.cargo/audit.toml
new file mode 100644
index 00000000000..97e464d1bf2
--- /dev/null
+++ b/.cargo/audit.toml
@@ -0,0 +1,5 @@
+[advisories]
+# protobuf 2.28.0 (via prometheus 0.13.4) - crash due to uncontrolled recursion.
+# Not exploitable in our context: protobuf is only used for Prometheus metrics
+# serialization with trusted internal data, not for parsing untrusted input.
+ignore = ["RUSTSEC-2024-0437"]
diff --git a/.github/workflows/test-suite.yml b/.github/workflows/test-suite.yml
index 7344a9367b7..25f7cbcac14 100644
--- a/.github/workflows/test-suite.yml
+++ b/.github/workflows/test-suite.yml
@@ -26,6 +26,10 @@ env:
   CARGO_INCREMENTAL: 0
   # Enable portable to prevent issues with caching `blst` for the wrong CPU type
   TEST_FEATURES: portable
+  # Use Clang for C/C++ compilation. Required because leveldb-sys uses
+  # -Wthread-safety which is a Clang-only flag unsupported by GCC.
+  CC: clang
+  CXX: clang++
 jobs:
   check-labels:
     runs-on: ubuntu-latest
@@ -96,6 +100,8 @@ jobs:
       uses: foundry-rs/foundry-toolchain@v1
       with:
         version: nightly-ca67d15f4abd46394b324c50e21e66f306a1162d
+    - name: Clear stale leveldb-sys cmake cache
+      run: rm -rf target/release/build/leveldb-sys-*/out/build 2>/dev/null || true
     - name: Run tests in release
       run: make test-release
     - name: Show cache stats
diff --git a/.github/workflows/zkboost-tests.yml b/.github/workflows/zkboost-tests.yml
index 044c5727850..aaa15489d37 100644
--- a/.github/workflows/zkboost-tests.yml
+++ b/.github/workflows/zkboost-tests.yml
@@ -18,6 +18,10 @@ env:
   RUSTFLAGS: "-D warnings -C debuginfo=0"
   CARGO_INCREMENTAL: 0
   TEST_FEATURES: portable
+  # Use Clang for C/C++ compilation. Required because leveldb-sys uses
+  # -Wthread-safety which is a Clang-only flag unsupported by GCC.
+  CC: clang
+  CXX: clang++
 
 jobs:
   check-labels:
@@ -52,6 +56,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y git gcc g++ make cmake pkg-config llvm-dev libclang-dev clang
       - name: Get latest version of stable Rust
         uses: moonrepo/setup-rust@v1
         with:
@@ -60,5 +66,7 @@ jobs:
           bins: cargo-nextest
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Clear stale leveldb-sys cmake cache
+        run: rm -rf target/release/build/leveldb-sys-*/out/build 2>/dev/null || true
       - name: Run proof_engine_zkboost integration tests
         run: make test-zkboost
diff --git a/Dockerfile b/Dockerfile
index f3c2f011ada..ccfd2826b1b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 FROM rust:1.91.0-bullseye AS builder
-RUN apt-get update && apt-get -y upgrade && apt-get install -y cmake libclang-dev
+RUN apt-get update && apt-get -y upgrade && apt-get install -y cmake libclang-dev clang
 ARG FEATURES
 ARG PROFILE=release
 ARG CARGO_USE_GIT_CLI=true
@@ -7,6 +7,9 @@ ENV FEATURES=$FEATURES
 ENV PROFILE=$PROFILE
 ENV CARGO_NET_GIT_FETCH_WITH_CLI=$CARGO_USE_GIT_CLI
 ENV CARGO_INCREMENTAL=1
+# Use Clang for C/C++ compilation (leveldb-sys requires -Wthread-safety, a Clang-only flag)
+ENV CC=clang
+ENV CXX=clang++
 
 WORKDIR /lighthouse
 COPY . .
diff --git a/beacon_node/beacon_chain/src/test_utils.rs b/beacon_node/beacon_chain/src/test_utils.rs
index b6c235a4cb0..b73aa968e9d 100644
--- a/beacon_node/beacon_chain/src/test_utils.rs
+++ b/beacon_node/beacon_chain/src/test_utils.rs
@@ -804,12 +804,7 @@ where
     pub fn shutdown_reasons(&self) -> Vec<ShutdownReason> {
         let mutex = self.shutdown_receiver.clone();
         let mut receiver = mutex.lock();
-        std::iter::from_fn(move || match receiver.try_next() {
-            Ok(Some(s)) => Some(s),
-            Ok(None) => panic!("shutdown sender dropped"),
-            Err(_) => None,
-        })
-        .collect()
+        std::iter::from_fn(move || receiver.try_recv().ok()).collect()
     }
 
     pub fn get_current_state(&self) -> BeaconState<E> {
diff --git a/consensus/fork_choice/tests/tests.rs b/consensus/fork_choice/tests/tests.rs
index d3a84ee85be..46ac008b900 100644
--- a/consensus/fork_choice/tests/tests.rs
+++ b/consensus/fork_choice/tests/tests.rs
@@ -117,8 +117,7 @@ impl ForkChoiceTest {
         let mut shutdown_receiver = mutex.lock();
 
         shutdown_receiver.close();
-        let msg = shutdown_receiver.try_next().unwrap();
-        msg.is_some()
+        shutdown_receiver.try_recv().is_ok()
     }
 
     /// Assert there was a shutdown signal sent by the beacon chain.
diff --git a/deny.toml b/deny.toml
index 54ede06429c..ecde322a98a 100644
--- a/deny.toml
+++ b/deny.toml
@@ -6,10 +6,6 @@
 multiple-versions = "allow"
 deny = [
     { crate = "ethers", reason = "legacy Ethereum crate, use alloy instead" },
-    { crate = "ethereum-types", reason = "legacy Ethereum crate, use alloy-primitives instead" },
-    { crate = "protobuf", reason = "use quick-protobuf instead" },
-    { crate = "derivative", reason = "use educe or derive_more instead" },
-    { crate = "ark-ff", reason = "present in Cargo.lock but not needed by Lighthouse" },
     { crate = "strum", deny-multiple-versions = true, reason = "takes a long time to compile" },
     { crate = "reqwest", deny-multiple-versions = true, reason = "takes a long time to compile" },
     { crate = "aes", deny-multiple-versions = true, reason = "takes a long time to compile" },
@@ -17,6 +13,14 @@ deny = [
     { crate = "pbkdf2", deny-multiple-versions = true, reason = "takes a long time to compile" },
     { crate = "scrypt", deny-multiple-versions = true, reason = "takes a long time to compile" },
 ]
+# Crates banned upstream but required by zkboost/ethrex transitive dependencies
+skip = [
+    { crate = "ethereum-types@0.15.1", reason = "transitive dep of ethrex (zkboost)" },
+    { crate = "protobuf@2.28.0", reason = "transitive dep via prometheus (zkboost)" },
+    { crate = "protobuf@3.7.2", reason = "transitive dep of ethrex (zkboost)" },
+    { crate = "derivative@2.2.0", reason = "transitive dep of ethrex (zkboost)" },
+    { crate = "ark-ff", reason = "transitive dep of ethrex-levm (zkboost)" },
+]
 
 [sources]
 unknown-registry = "deny"
@@ -24,4 +28,4 @@ unknown-git = "warn"
 allow-registry = ["https://github.com/rust-lang/crates.io-index"]
 
 [sources.allow-org]
-github = ["sigp"]
+github = ["sigp", "lambdaclass", "eth-act", "paradigmxyz", "frisitano"]
diff --git a/testing/proof_engine_zkboost/Cargo.toml b/testing/proof_engine_zkboost/Cargo.toml
index 1a97590e45f..ab3ef2c7b54 100644
--- a/testing/proof_engine_zkboost/Cargo.toml
+++ b/testing/proof_engine_zkboost/Cargo.toml
@@ -3,6 +3,9 @@ name = "proof_engine_zkboost_test"
 version = "0.1.0"
 edition.workspace = true
 
+[features]
+portable = ["types/portable"]
+
 [dependencies]
 anyhow = { workspace = true }
 axum = { workspace = true }