diff --git a/gitsign.yaml b/gitsign.yaml
index 6d6a22ba0c6..eb8f76c45c6 100644
--- a/gitsign.yaml
+++ b/gitsign.yaml
@@ -1,7 +1,7 @@
 package:
   name: gitsign
   version: "0.13.0"
-  epoch: 7 # CVE-2025-61729
+  epoch: 8 # GHSA-f83f-xpx7-ffpw
   description: Keyless Git signing with Sigstore!
   copyright:
     - license: Apache-2.0
@@ -23,6 +23,9 @@ pipeline:
         golang.org/x/net@v0.38.0
         github.com/cloudflare/circl@v1.6.1
         golang.org/x/crypto@v0.45.0
+        github.com/sigstore/protobuf-specs@v0.5.0
+        google.golang.org/protobuf@v1.36.10
+        github.com/sigstore/fulcio@v1.8.3
 
   - uses: go/build
     with: