diff --git a/.github/workflows/code.yml b/.github/workflows/code.yml
index 107378d8c..461a9787a 100644
--- a/.github/workflows/code.yml
+++ b/.github/workflows/code.yml
@@ -156,7 +156,7 @@ jobs:
         util:
           - name: cargo deny
             download: >
-              curl -sSL "https://github.com/EmbarkStudios/cargo-deny/releases/download/0.14.24/cargo-deny-0.14.24-x86_64-unknown-linux-musl.tar.gz" |
+              curl -sSL "https://github.com/EmbarkStudios/cargo-deny/releases/download/0.18.9/cargo-deny-0.18.9-x86_64-unknown-linux-musl.tar.gz" |
                 sudo tar -xzvf - -C /usr/local/bin --strip-components=1
             run: cargo-deny check --hide-inclusion-graph --show-stats
             requiresRust: true
diff --git a/Cargo.lock b/Cargo.lock
index 0e7d0b106..dd2dacd4a 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -5849,7 +5849,7 @@ version = "0.7.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ff32365de1b6743cb203b710788263c44a03de03802daf96092f2da4fe6ba4d7"
 dependencies = [
- "proc-macro-crate 1.1.3",
+ "proc-macro-crate 3.1.0",
  "proc-macro2",
  "quote",
  "syn 2.0.107",
@@ -6253,7 +6253,7 @@ dependencies = [
  "pallet-evm-system",
  "pallet-timestamp",
  "parity-scale-codec",
- "paste",
+ "pastey",
  "scale-info",
  "sp-core",
  "sp-io",
@@ -6756,6 +6756,12 @@ version = "1.0.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a"
 
+[[package]]
+name = "pastey"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b867cad97c0791bbd3aaa6472142568c6c9e8f71937e98379f584cfb0cf35bec"
+
 [[package]]
 name = "pbkdf2"
 version = "0.8.0"
diff --git a/Cargo.toml b/Cargo.toml
index 40aa883bc..81a639264 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -44,7 +44,7 @@ num-traits = { version = "0.2", default-features = false }
 num_enum = { version = "0.7", default-features = false }
 numtoa = { version = "0.2", default-features = false }
 once_cell = { version = "1", default-features = false }
-paste = { version = "1.0", default-features = false }
+paste = { version = "0.2", package = "pastey", default-features = false }
 proc-macro2 = { version = "1", default-features = false }
 qr2term = { version = "0.3", default-features = false }
 quote = { version = "1.0", default-features = false }
diff --git a/deny.toml b/deny.toml
index 823eaef37..65c5698be 100644
--- a/deny.toml
+++ b/deny.toml
@@ -1,3 +1,4 @@
+[graph]
 targets = [
   # Host.
   { triple = "x86_64-unknown-linux-gnu", features = ["std"] },
@@ -9,14 +10,13 @@ targets = [
 ]
 all-features = false
 no-default-features = true
+
+[output]
 feature-depth = 1
 
 [advisories]
-db-urls = ["https://github.com/rustsec/advisory-db"]
-vulnerability = "deny"
-unmaintained = "allow"
+unmaintained = "workspace"
 yanked = "allow"
-notice = "deny"
 ignore = [
   # TODO(#1118): update the curve25519-dalek internal dependency to 4.1.3+
   "RUSTSEC-2024-0344",
@@ -38,10 +38,14 @@ ignore = [
   "RUSTSEC-2025-0055",
   # TODO(#1648): update the wasmtime internal dependency to 24.0.5+
   "RUSTSEC-2025-0118",
+  # TODO(#1648): update the wasmtime-debug internal dependency to 24.0.0
+  "RUSTSEC-2024-0442",
+  # TODO(#1657): atty in unmaintained, it is used by sc-tracing so wait for
+  # an update from upstream.
+  "RUSTSEC-2021-0145",
 ]
 
 [licenses]
-unlicensed = "deny"
 allow = [
   "MIT",
   "Apache-2.0",
@@ -52,18 +56,18 @@ allow = [
   "0BSD",
   "CC0-1.0",
   "Unlicense",
+  "GPL-3.0-or-later WITH Classpath-exception-2.0",
 
   # To review:
   "MPL-2.0",
-  "GPL-3.0 WITH Classpath-exception-2.0",
   "OpenSSL",
 ]
-deny = []
-copyleft = "allow"
-allow-osi-fsf-free = "neither"
-default = "deny"
 confidence-threshold = 0.8
-exceptions = [{ allow = ["Unicode-DFS-2016"], name = "unicode-ident", version = "*" }]
+
+[[licenses.exceptions]]
+allow = ["Unicode-DFS-2016"]
+name = "unicode-ident"
+version = "*"
 
 [[licenses.clarify]]
 name = "ring"
@@ -81,14 +85,16 @@ highlight = "all"
 workspace-default-features = "allow"
 external-default-features = "allow"
 allow = []
-deny = [
-  # Avoid using precompiled serde_derive.
-  { name = "serde_derive", version = "> 1.0.171, < 1.0.184" },
-]
+
 features = []
 skip = []
 skip-tree = []
 
+[[bans.deny]]
+name = "serde_derive"
+version = "> 1.0.171, < 1.0.184"
+reason = "Avoid using precompiled serde_derive."
+
 [sources]
 unknown-registry = "deny"
 unknown-git = "deny"
diff --git a/utils/checks/snapshots/features.yaml b/utils/checks/snapshots/features.yaml
index 417d26b3b..a7fd0dca5 100644
--- a/utils/checks/snapshots/features.yaml
+++ b/utils/checks/snapshots/features.yaml
@@ -2143,6 +2143,8 @@
   features: []
 - name: paste 1.0.15
   features: []
+- name: pastey 0.2.1
+  features: []
 - name: pbkdf2 0.12.2
   features:
     - hmac