diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6d1814e..959c3e1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -48,7 +48,7 @@ jobs:
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
-          bun-version: 1.3.8
+          bun-version: 1.3.13
       - name: Install dependencies
         run: bun install --frozen-lockfile --ignore-scripts
       - name: Typecheck
@@ -66,7 +66,7 @@ jobs:
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
-          bun-version: 1.3.8
+          bun-version: 1.3.13
       - name: Install dependencies
         run: bun install --frozen-lockfile --production --ignore-scripts
       - name: Run tests
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3a4b95e..ea8a7d6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -34,7 +34,7 @@ jobs:
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
-          bun-version: 1.3.8
+          bun-version: 1.3.13
       - name: Install dependencies
         run: bun install --frozen-lockfile --ignore-scripts
       - name: Lint and typecheck
@@ -44,7 +44,7 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v4
         with:
-          node-version: 20.20.0
+          node-version: 20.20.2
           registry-url: https://registry.npmjs.org
       - name: Verify package version matches tag
         run: node -e "const fs=require('node:fs'); const pkg=JSON.parse(fs.readFileSync('package.json','utf8')); const tag=process.env.RELEASE_TAG.replace(/^v/,''); if(pkg.version!==tag){console.error(`package.json version ${pkg.version} != tag ${tag}`); process.exit(1)}"