diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3a312d39f5f..f1a2e1cc429 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -25,8 +25,9 @@ This version of Nokogiri uses [`jar-dependencies`](https://github.com/mkristian/
 
 ### Dependencies
 
-* [CRuby] Vendored libxml2 is updated to [v2.10.0](https://download.gnome.org/sources/libxml2/2.10/libxml2-2.10.0.news).
+* [CRuby] Vendored libxml2 is updated to [v2.10.1](https://download.gnome.org/sources/libxml2/2.10/libxml2-2.10.0.news).
 * [CRuby] Vendored libxslt is updated to [v1.1.36](https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.36).
+* [CRuby] Vendored libiconv is updated to [v1.17](https://savannah.gnu.org/forum/forum.php?forum_id=10175)
 * [JRuby] HTML parsing is now provided `net.sourceforge.htmlunit:neko-htmlunit:2.61.0` (previously was a fork of `org.cyberneko.html:nekohtml`)
 * [JRuby] Vendored Jing is updated from `com.thaiopensource:jing:20091111` to `nu.validator:jing:20200702VNU`.
 * [JRuby] New dependency on `net.sf.saxon:Saxon-HE:9.6.0-4` (via `nu.validator:jing:20200702VNU`).
diff --git a/dependencies.yml b/dependencies.yml
index 67eed6b5e66..fec3a4181d9 100644
--- a/dependencies.yml
+++ b/dependencies.yml
@@ -1,7 +1,7 @@
 libxml2:
-  version: "2.10.0"
-  sha256: "2dd33110ea778676de14bea4999ee1173c4ca55d5ff1452bca224e06f0152595"
-  # sha-256 hash provided in https://download.gnome.org/sources/libxml2/2.10/libxml2-2.10.0.sha256sum
+  version: "2.10.1"
+  sha256: "21a9e13cc7c4717a6c36268d0924f92c3f67a1ece6b7ff9d588958a6db9fb9d8"
+  # sha-256 hash provided in https://download.gnome.org/sources/libxml2/2.10/libxml2-2.10.1.sha256sum
 
 libxslt:
   version: "1.1.36"
@@ -14,10 +14,28 @@ zlib:
   # SHA-256 hash provided on http://zlib.net/
 
 libiconv:
-  version: "1.16"
-  sha256: "e6a1b1b589654277ee790cce3734f07876ac4ccfaecbee8afa0b649cf529cc04"
-  # gpg: Signature made Fri 26 Apr 2019 03:36:38 PM EDT
-  # gpg:                using RSA key 4F494A942E4616C2
-  # gpg: Good signature from "Bruno Haible (Open Source Development) <bruno@clisp.org>" [expired]
-  # gpg: Note: This key has expired!
-  # Primary key fingerprint: 68D9 4D8A AEEA D48A E7DC  5B90 4F49 4A94 2E46 16C2
+  version: "1.17"
+  sha256: "8f74213b56238c85a50a5329f77e06198771e70dd9a739779f4c02f65d971313"
+  # signature verified by following this path:
+  # - release announced at https://savannah.gnu.org/forum/forum.php?forum_id=10175
+  # - which links to https://savannah.gnu.org/users/haible as the releaser
+  # - which links to https://savannah.gnu.org/people/viewgpg.php?user_id=1871 as the gpg key
+  #
+  # So:
+  # - wget -q -O - https://savannah.gnu.org/people/viewgpg.php?user_id=1871 | gpg --import
+  #     gpg: key F5BE8B267C6A406D: 1 signature not checked due to a missing key
+  #     gpg: key F5BE8B267C6A406D: public key "Bruno Haible (Open Source Development) <bruno@clisp.org>" imported
+  #     gpg: Total number processed: 1
+  #     gpg:               imported: 1
+  #     gpg: marginals needed: 3  completes needed: 1  trust model: pgp
+  #     gpg: depth: 0  valid:   4  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 4u
+  #     gpg: next trustdb check due at 2024-05-09
+  # - gpg --verify libiconv-1.17.tar.gz.sig ports/archives/libiconv-1.17.tar.gz
+  #     gpg: Signature made Sun 15 May 2022 11:26:42 AM EDT
+  #     gpg:                using RSA key 9001B85AF9E1B83DF1BDA942F5BE8B267C6A406D
+  #     gpg: Good signature from "Bruno Haible (Open Source Development) <bruno@clisp.org>" [unknown]
+  #     gpg: WARNING: This key is not certified with a trusted signature!
+  #     gpg:          There is no indication that the signature belongs to the owner.
+  #     Primary key fingerprint: 9001 B85A F9E1 B83D F1BD  A942 F5BE 8B26 7C6A 406D
+  #
+  # And this sha256sum is calculated from that verified tarball.