diff --git a/bypy/sources.json b/bypy/sources.json
index 011fb42bfd..fcabe646aa 100644
--- a/bypy/sources.json
+++ b/bypy/sources.json
@@ -509,12 +509,12 @@
     },
 
     {
-        "name": "nodejs 20.19.2",
+        "name": "nodejs 20.19.4",
 		"type": "build",
 		"comment": "Needed for building Qt WebEngine",
         "os": "macos,linux",
         "unix": {
-            "hash": "sha256:045deaf3179e85ddd871e925f39b04214f37c7d16b6980fab2f061d6739d8207",
+            "hash": "sha256:a87cf69f4df8deece34165ebf668e3279e12352c4f077a9cc87641f4c9d21a96",
             "urls": ["https://github.com/nodejs/node/archive/refs/tags/v{version}.{file_extension}"]
         }
     },
diff --git a/setup/unix-ci.py b/setup/unix-ci.py
index 82ac00f541..b0676f10dd 100644
--- a/setup/unix-ci.py
+++ b/setup/unix-ci.py
@@ -168,7 +168,13 @@ IGNORED_DEPENDENCY_CVES = [
     'CVE-2025-8194',  # DoS in tarfile
     'CVE-2025-6069',  # DoS in HTMLParser
     # glib
-    'CVE-2025-4056',  # Only affects Windows, on which we dont run
+    'CVE-2025-4056',  # Only affects Windows, on which we dont use glib
+    # libtiff
+    'CVE-2025-8851',  # this is erroneously marked as fixed in the database but no release of libtiff has been made with the fix
+    # hyphen
+    'CVE-2017-1000376',  # false match in the database
+    # espeak
+    'CVE-2023-4990',  # false match because we currently build with a specific commit pending release of espeak 1.53
 ]