diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml
index 2657cbc8..d37d460f 100644
--- a/.github/workflows/pypi-publish.yml
+++ b/.github/workflows/pypi-publish.yml
@@ -7,29 +7,5 @@ on:
 
 jobs:
   Publish:
-    runs-on: ubuntu-20.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      - name: Set up Python
-        uses: actions/setup-python@v2
-        with:
-          python-version: 3.7
-
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install setuptools wheel babel
-
-      - name: Build package
-        # Remove `compile_catalog` if the package has no translations.
-        run: |
-          python setup.py compile_catalog sdist bdist_wheel
-
-      - name: Publish on PyPI
-        uses: pypa/gh-action-pypi-publish@v1.3.1
-        with:
-          user: __token__
-          # The token is provided by the inveniosoftware organization
-          password: ${{ secrets.pypi_token }}
+    uses: inveniosoftware/workflows/.github/workflows/pypi-publish.yml@master
+    secrets: inherit
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index b59ac4f4..2263873a 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -26,3 +26,4 @@ jobs:
     uses: inveniosoftware/workflows/.github/workflows/tests-python.yml@master
     with:
       extras: "tests,admin,postgresql"
+      search-service: '[""]'
diff --git a/CHANGES.rst b/CHANGES.rst
index 445077f8..5770f251 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -1,6 +1,7 @@
 ..
     This file is part of Invenio.
     Copyright (C) 2015-2024 CERN.
+    Copyright (C) 2024 Graz University of Technology.
 
     Invenio is free software; you can redistribute it and/or modify it
     under the terms of the MIT License; see LICENSE file for more details.
@@ -8,6 +9,10 @@
 Changes
 =======
 
+Version v5.1.6 (released 2024-11-28)
+
+- setup: pin dependencies
+
 Version v5.1.5 (released 2024-11-05)
 
 - model: make forward compatible to sqlalchemy >= 2
diff --git a/invenio_accounts/__init__.py b/invenio_accounts/__init__.py
index 3fb2c006..aeb40513 100644
--- a/invenio_accounts/__init__.py
+++ b/invenio_accounts/__init__.py
@@ -55,7 +55,7 @@
 from .ext import InvenioAccounts, InvenioAccountsREST, InvenioAccountsUI
 from .proxies import current_accounts
 
-__version__ = "5.1.5"
+__version__ = "5.1.6"
 
 __all__ = (
     "__version__",
diff --git a/invenio_accounts/utils.py b/invenio_accounts/utils.py
index 4711e2a4..077537ed 100644
--- a/invenio_accounts/utils.py
+++ b/invenio_accounts/utils.py
@@ -2,6 +2,7 @@
 #
 # This file is part of Invenio.
 # Copyright (C) 2017-2024 CERN.
+# Copyright (C) 2024 Graz University of Technology.
 #
 # Invenio is free software; you can redistribute it and/or modify it
 # under the terms of the MIT License; see LICENSE file for more details.
@@ -105,6 +106,13 @@ def jwt_decode_token(token):
         return decode(
             token,
             current_app.config["ACCOUNTS_JWT_SECRET_KEY"],
+            options={
+                # Based on the JWT spec (https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2)
+                # the "sub" claim has to be a string. However, we are not enforcing this
+                # and are assuming that the "sub" claim is an object/dictionary.
+                # PyJWT v2.10.0 started enforcing this and we are disabling this check.
+                "verify_sub": False,
+            },
             algorithms=[current_app.config["ACCOUNTS_JWT_ALOGORITHM"]],
         )
     except DecodeError as exc:
diff --git a/setup.cfg b/setup.cfg
index 51ec54a4..5f8978e0 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -3,7 +3,7 @@
 # This file is part of Invenio.
 # Copyright (C) 2015-2024 CERN.
 # Copyright (C)      2021 TU Wien.
-# Copyright (C) 2022 Graz University of Technology.
+# Copyright (C) 2022-2024 Graz University of Technology.
 #
 # Invenio is free software; you can redistribute it and/or modify it
 # under the terms of the MIT License; see LICENSE file for more details.
@@ -31,11 +31,11 @@ install_requires =
     cryptography>=3.0.0
     Flask-KVSession-Invenio>=0.6.3
     Flask-Security-Invenio>=3.3.0
-    invenio-celery>=1.2.3
-    invenio-i18n>=2.0.0
-    invenio-mail>=1.0.2
-    invenio-rest>=1.2.4
-    invenio-theme>=2.0.0
+    invenio-celery>=1.2.3,<2.0.0
+    invenio-i18n>=2.0.0,<3.0.0
+    invenio-mail>=1.0.2,<3.0.0
+    invenio-rest>=1.2.4,<2.0.0
+    invenio-theme>=2.0.0,<4.0.0
     maxminddb-geolite2>=2017.404
     pyjwt>=1.5.0
     simplekv>=0.11.2
@@ -43,18 +43,18 @@ install_requires =
 
 [options.extras_require]
 admin =
-    invenio-admin>=1.2.1
+    invenio-admin>=1.2.1,<2.0.0
 postgresql =
-    invenio-db[postgresql]>=1.0.14
+    invenio-db[postgresql]>=1.0.14,<2.0.0
 mysql =
-    invenio-db[mysql]>=1.0.14
+    invenio-db[mysql]>=1.0.14,<2.0.0
 sqlite =
-    invenio-db>=1.0.14
+    invenio-db>=1.0.14,<2.0.0
 tests =
     mock>=1.3.0
-    invenio-app>=1.4.0
-    pytest-black>=0.3.0
-    pytest-invenio>=2.1.4
+    invenio-app>=1.4.0,<2.0.0
+    pytest-black-ng>=0.4.0
+    pytest-invenio>=2.1.4,<3.0.0
     sphinx>=5,<6.0.0
 
 [options.entry_points]