diff --git a/deny.toml b/deny.toml
index c716501..8f29292 100644
--- a/deny.toml
+++ b/deny.toml
@@ -2,8 +2,16 @@
 # https://embarkstudios.github.io/cargo-deny/
 
 [advisories]
-unmaintained = "workspace"
-yanked = "warn"
+# In v2, vulnerability advisories always emit errors (not configurable).
+# unmaintained: scope of unmaintained-crate checks (all | workspace | transitive | none)
+unmaintained = "all"
+# yanked: deny | warn | allow
+yanked = "deny"
+# Ignore known unmaintained transitive deps we cannot easily replace
+ignore = [
+    # bincode v2.0.1 via probe-rs — project ceased but 1.3.3 considered complete
+    "RUSTSEC-2025-0141",
+]
 
 [licenses]
 # All licenses are denied unless explicitly allowed