diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index f040c1f856f..50899f5f82e 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -59,11 +59,16 @@ jobs:
           crate: taplo-cli
           locked: true
       - name: Install cargo-deny
-        if: ${{ runner.environment != 'self-hosted' }}
+        # We need at least 0.18.6 due to #41845, but the fix in #41853
+        # can't land without first upgrading cargo-deny in self-hosted
+        # runners. So, use the action to install 0.19.0 on both GH and
+        # self-hosted runners for now and make this conditional again
+        # after https://github.com/servo/ci-runners/issues/98 is done.
+        # if: ${{ runner.environment != 'self-hosted' }}
         uses: baptiste0928/cargo-install@v3
         with:
           crate: cargo-deny
-          version: 0.18.3
+          version: 0.19.0
           locked: true
       - name: Bootstrap dependencies
         if: ${{ runner.environment != 'self-hosted' }}
diff --git a/deny.toml b/deny.toml
index dc3f6c31af2..cba723694b1 100644
--- a/deny.toml
+++ b/deny.toml
@@ -28,6 +28,9 @@ ignore = [
     # cryptographic secret via side channel. Wait for a patch in stable
     # release version from upstream.
     "RUSTSEC-2023-0071",
+    # The crate `bincode` is unmaintained. This crate is now pinned in Servo.
+    # See the comment above `bincode` entry in Cargo.toml.
+    "RUSTSEC-2025-0141",
 ]
 
 # This section is considered when running `cargo deny check licenses`
@@ -193,6 +196,18 @@ skip = [
     # 0.3.0 and ml-dsa releases the next version 0.1.0, we can remove
     # this.
     "hybrid-array",
+
+
+    # The following 5 duplicates were introduced when Servo's CI was failing to
+    # detect duplicates introduced in automatic dependabot PRs (#38945). They
+    # are added here to allow the fix for this issue to land as a priority.
+    # These need to be investigated separately to see if the duplication can be
+    # avoided.
+    "libloading",
+    "futures",
+    "cfg-expr",
+    "system-deps",
+    "target-lexicon",
 ]
 
 # github.com organizations to allow git sources for
diff --git a/python/servo/platform/base.py b/python/servo/platform/base.py
index c9ca7d6e09d..94d30f6e68e 100644
--- a/python/servo/platform/base.py
+++ b/python/servo/platform/base.py
@@ -92,16 +92,16 @@ class Base:
         def cargo_deny_installed() -> bool:
             if force or not shutil.which("cargo-deny"):
                 return False
-            # Tidy needs at least version 0.18.1 installed.
+            # Tidy needs at least version 0.18.6 installed.
             result = subprocess.run(["cargo-deny", "--version"], encoding="utf-8", capture_output=True)
             (major, minor, micro) = result.stdout.strip().split(" ")[1].split(".", 2)
-            return (int(major), int(minor), int(micro)) >= (0, 18, 1)
+            return (int(major), int(minor), int(micro)) >= (0, 18, 6)
 
         if cargo_deny_installed():
             return False
 
         print(" * Installing cargo-deny...")
-        if subprocess.call(["cargo", "install", "cargo-deny@0.18.3", "--locked"]) != 0:
+        if subprocess.call(["cargo", "install", "cargo-deny@0.19.0", "--locked"]) != 0:
             raise EnvironmentError("Installation of cargo-deny failed.")
         return True
 
diff --git a/python/tidy/tidy.py b/python/tidy/tidy.py
index c5cf00ab671..e2b1ac7d740 100644
--- a/python/tidy/tidy.py
+++ b/python/tidy/tidy.py
@@ -506,6 +506,16 @@ def run_cargo_deny_lints() -> Iterator[tuple[str, int, str]]:
         elif error_severity in ["warning", "error"]:
             errors.append((CARGO_DENY_CONFIG_FILE, line, f"{message}: {span}"))
 
+    # If there are no known errors but cargo-deny still failed, ensure test-tidy also fails.
+    if len(errors) == 0 and result.returncode != 0:
+        errors.append(
+            (
+                CARGO_DENY_CONFIG_FILE,
+                1,
+                f"Unknown error when running `cargo-deny`. See the full output:\n f{result.stderr}",
+            )
+        )
+
     for error in errors:
         yield error
 
diff --git a/shell.nix b/shell.nix
index 89186ba4ff1..b4cafe1fec5 100644
--- a/shell.nix
+++ b/shell.nix
@@ -8,7 +8,7 @@ with import (builtins.fetchTarball {
   # NixOS users: if servoshell crashes with an assertion failure in surfman’s x11/connection.rs,
   # eglInitialize() may be failing, or you may be building with an incompatible version of glibc.
   # Use your system nixpkgs here, change `llvmPackages` below if necessary, then do a clean build.
-  url = "https://github.com/NixOS/nixpkgs/archive/a8d610af3f1a5fb71e23e08434d8d61a466fc942.tar.gz";
+  url = "https://github.com/NixOS/nixpkgs/archive/ffbc9f8cbaacfb331b6017d5a5abb21a492c9a38.tar.gz";
 }) {
   overlays = [
     (import (builtins.fetchTarball {