diff --git a/cumulus/bridges/modules/grandpa/src/lib.rs b/cumulus/bridges/modules/grandpa/src/lib.rs
index 10b60878302e898b27e402259f91ce7088ffdf83..f9c3ab68a06f2b691fe6c0918d3711deae61c7fc 100644
--- a/cumulus/bridges/modules/grandpa/src/lib.rs
+++ b/cumulus/bridges/modules/grandpa/src/lib.rs
@@ -176,11 +176,12 @@ pub mod pallet {
 			justification.votes_ancestries.len().saturated_into(),
 		))]
 		pub fn submit_finality_proof(
-			_origin: OriginFor<T>,
+			origin: OriginFor<T>,
 			finality_target: Box<BridgedHeader<T, I>>,
 			justification: GrandpaJustification<BridgedHeader<T, I>>,
 		) -> DispatchResultWithPostInfo {
 			Self::ensure_not_halted().map_err(Error::<T, I>::BridgeModule)?;
+			ensure_signed(origin)?;
 
 			let (hash, number) = (finality_target.hash(), *finality_target.number());
 			log::trace!(
@@ -1414,4 +1415,23 @@ mod tests {
 	fn maybe_headers_to_keep_returns_correct_value() {
 		assert_eq!(MaybeHeadersToKeep::<TestRuntime, ()>::get(), Some(mock::HeadersToKeep::get()));
 	}
+
+	#[test]
+	fn submit_finality_proof_requires_signed_origin() {
+		run_test(|| {
+			initialize_substrate_bridge();
+
+			let header = test_header(1);
+			let justification = make_default_justification(&header);
+
+			assert_noop!(
+				Pallet::<TestRuntime>::submit_finality_proof(
+					RuntimeOrigin::root(),
+					Box::new(header),
+					justification,
+				),
+				DispatchError::BadOrigin,
+			);
+		})
+	}
 }
diff --git a/cumulus/bridges/modules/parachains/src/lib.rs b/cumulus/bridges/modules/parachains/src/lib.rs
index b17b52163d8574894c3ea045354ed42731c11ac1..52b436b8207123f317632ee23d72e1c964dd3fd0 100644
--- a/cumulus/bridges/modules/parachains/src/lib.rs
+++ b/cumulus/bridges/modules/parachains/src/lib.rs
@@ -307,12 +307,13 @@ pub mod pallet {
 			parachains.len() as _,
 		))]
 		pub fn submit_parachain_heads(
-			_origin: OriginFor<T>,
+			origin: OriginFor<T>,
 			at_relay_block: (RelayBlockNumber, RelayBlockHash),
 			parachains: Vec<(ParaId, ParaHash)>,
 			parachain_heads_proof: ParaHeadsProof,
 		) -> DispatchResultWithPostInfo {
 			Self::ensure_not_halted().map_err(Error::<T, I>::BridgeModule)?;
+			ensure_signed(origin)?;
 
 			// we'll need relay chain header to verify that parachains heads are always increasing.
 			let (relay_block_number, relay_block_hash) = at_relay_block;
@@ -417,7 +418,7 @@ pub mod pallet {
 					});
 
 				// we're refunding weight if update has not happened and if pruning has not happened
-				let is_update_happened = matches!(update_result, Ok(_));
+				let is_update_happened = update_result.is_ok();
 				if !is_update_happened {
 					actual_weight = actual_weight.saturating_sub(
 						WeightInfoOf::<T, I>::parachain_head_storage_write_weight(
@@ -1579,4 +1580,25 @@ pub(crate) mod tests {
 			Some(mock::TOTAL_PARACHAINS * mock::HeadsToKeep::get()),
 		);
 	}
+
+	#[test]
+	fn submit_finality_proof_requires_signed_origin() {
+		run_test(|| {
+			let (state_root, proof, parachains) =
+				prepare_parachain_heads_proof::<RegularParachainHeader>(vec![(1, head_data(1, 0))]);
+
+			initialize(state_root);
+
+			// `submit_parachain_heads()` should fail when the pallet is halted.
+			assert_noop!(
+				Pallet::<TestRuntime>::submit_parachain_heads(
+					RuntimeOrigin::root(),
+					(0, test_relay_header(0, state_root).hash()),
+					parachains,
+					proof,
+				),
+				DispatchError::BadOrigin
+			);
+		})
+	}
 }
diff --git a/cumulus/bridges/primitives/chain-bridge-hub-cumulus/src/lib.rs b/cumulus/bridges/primitives/chain-bridge-hub-cumulus/src/lib.rs
index 78a98a42a664fb3d29f5d2e073ef38a9fce9a949..8ff096d077f57f88494f5a2c23fba1ec16a2402a 100644
--- a/cumulus/bridges/primitives/chain-bridge-hub-cumulus/src/lib.rs
+++ b/cumulus/bridges/primitives/chain-bridge-hub-cumulus/src/lib.rs
@@ -124,9 +124,13 @@ pub type Address = MultiAddress<AccountId, ()>;
 // `ensure_able_to_receive_confirmation` test.
 
 /// Maximal number of unrewarded relayer entries at inbound lane for Cumulus-based parachains.
+/// Note: this value is security-relevant, decreasing it should not be done without careful
+/// analysis (like the one above).
 pub const MAX_UNREWARDED_RELAYERS_IN_CONFIRMATION_TX: MessageNonce = 1024;
 
 /// Maximal number of unconfirmed messages at inbound lane for Cumulus-based parachains.
+/// Note: this value is security-relevant, decreasing it should not be done without careful
+/// analysis (like the one above).
 pub const MAX_UNCONFIRMED_MESSAGES_IN_CONFIRMATION_TX: MessageNonce = 4096;
 
 /// Extra signed extension data that is used by all bridge hubs.
diff --git a/cumulus/bridges/primitives/header-chain/Cargo.toml b/cumulus/bridges/primitives/header-chain/Cargo.toml
index 32f81315537d5b44c51980bebd261364474f9588..962d262d571b3d775a8bcee826c9d6d75b4a6c24 100644
--- a/cumulus/bridges/primitives/header-chain/Cargo.toml
+++ b/cumulus/bridges/primitives/header-chain/Cargo.toml
@@ -9,7 +9,7 @@ license = "GPL-3.0-or-later WITH Classpath-exception-2.0"
 [dependencies]
 codec = { package = "parity-scale-codec", version = "3.1.5", default-features = false }
 finality-grandpa = { version = "0.16.2", default-features = false }
-scale-info = { version = "2.6.0", default-features = false, features = ["derive"] }
+scale-info = { version = "2.9.0", default-features = false, features = ["derive"] }
 serde = { version = "1.0", default-features = false, features = ["alloc", "derive"] }
 
 # Bridge dependencies
diff --git a/cumulus/bridges/primitives/messages/Cargo.toml b/cumulus/bridges/primitives/messages/Cargo.toml
index cc439a55ae29c028fe37cea750d12f8561846b7c..ecb0bdc4079d1e8767a4ba891c48fcaa34f81394 100644
--- a/cumulus/bridges/primitives/messages/Cargo.toml
+++ b/cumulus/bridges/primitives/messages/Cargo.toml
@@ -8,7 +8,7 @@ license = "GPL-3.0-or-later WITH Classpath-exception-2.0"
 
 [dependencies]
 codec = { package = "parity-scale-codec", version = "3.1.5", default-features = false, features = ["derive", "bit-vec"] }
-scale-info = { version = "2.6.0", default-features = false, features = ["bit-vec", "derive"] }
+scale-info = { version = "2.9.0", default-features = false, features = ["bit-vec", "derive"] }
 serde = { version = "1.0", default-features = false, features = ["alloc", "derive"] }
 
 # Bridge dependencies
diff --git a/cumulus/bridges/primitives/parachains/Cargo.toml b/cumulus/bridges/primitives/parachains/Cargo.toml
index c18c931bd3357936e8390e67a6403f5e395d8959..6cd138c62249a83228822d8b3740ee91bd274e22 100644
--- a/cumulus/bridges/primitives/parachains/Cargo.toml
+++ b/cumulus/bridges/primitives/parachains/Cargo.toml
@@ -9,7 +9,7 @@ license = "GPL-3.0-or-later WITH Classpath-exception-2.0"
 [dependencies]
 codec = { package = "parity-scale-codec", version = "3.1.5", default-features = false, features = ["derive"] }
 impl-trait-for-tuples = "0.2"
-scale-info = { version = "2.6.0", default-features = false, features = ["derive"] }
+scale-info = { version = "2.9.0", default-features = false, features = ["derive"] }
 
 # Bridge dependencies
 
diff --git a/cumulus/bridges/primitives/polkadot-core/Cargo.toml b/cumulus/bridges/primitives/polkadot-core/Cargo.toml
index 56c6de04d41c22b6a32d2265e58a1435fc0a87c7..b7ba4803473874b4269fa90016c129498c21ca5d 100644
--- a/cumulus/bridges/primitives/polkadot-core/Cargo.toml
+++ b/cumulus/bridges/primitives/polkadot-core/Cargo.toml
@@ -9,7 +9,7 @@ license = "GPL-3.0-or-later WITH Classpath-exception-2.0"
 [dependencies]
 codec = { package = "parity-scale-codec", version = "3.1.5", default-features = false, features = ["derive"] }
 parity-util-mem = { version = "0.12.0", optional = true }
-scale-info = { version = "2.6.0", default-features = false, features = ["derive"] }
+scale-info = { version = "2.9.0", default-features = false, features = ["derive"] }
 serde = { version = "1.0", optional = true, features = ["derive"] }
 
 # Bridge Dependencies
diff --git a/cumulus/bridges/primitives/relayers/Cargo.toml b/cumulus/bridges/primitives/relayers/Cargo.toml
index b84b0393adf1d3231e84da45ac337125aa605ad4..fd2c9e19f984143217671a2f882d5b3570db90f9 100644
--- a/cumulus/bridges/primitives/relayers/Cargo.toml
+++ b/cumulus/bridges/primitives/relayers/Cargo.toml
@@ -8,7 +8,7 @@ license = "GPL-3.0-or-later WITH Classpath-exception-2.0"
 
 [dependencies]
 codec = { package = "parity-scale-codec", version = "3.1.5", default-features = false, features = ["derive", "bit-vec"] }
-scale-info = { version = "2.6.0", default-features = false, features = ["bit-vec", "derive"] }
+scale-info = { version = "2.9.0", default-features = false, features = ["bit-vec", "derive"] }
 
 # Bridge Dependencies
 
diff --git a/cumulus/bridges/primitives/runtime/Cargo.toml b/cumulus/bridges/primitives/runtime/Cargo.toml
index 3e6a30a061cafbc586e9428aa9003653bdfd8b30..dea3c979b86283d694cb883458f0ee9f4c727885 100644
--- a/cumulus/bridges/primitives/runtime/Cargo.toml
+++ b/cumulus/bridges/primitives/runtime/Cargo.toml
@@ -11,7 +11,7 @@ codec = { package = "parity-scale-codec", version = "3.1.5", default-features =
 hash-db = { version = "0.16.0", default-features = false }
 impl-trait-for-tuples = "0.2.2"
 num-traits = { version = "0.2", default-features = false }
-scale-info = { version = "2.6.0", default-features = false, features = ["derive", "serde"] }
+scale-info = { version = "2.9.0", default-features = false, features = ["derive"] }
 serde = { version = "1.0", default-features = false, features = ["alloc", "derive"] }
 
 # Substrate Dependencies
diff --git a/cumulus/scripts/bridges_update_subtree.sh b/cumulus/scripts/bridges_update_subtree.sh
index 3928dc23213844c982aeefa956694042ea39b167..5c5c7a322a163d5db9f7fa4e714c4951f296e1df 100755
--- a/cumulus/scripts/bridges_update_subtree.sh
+++ b/cumulus/scripts/bridges_update_subtree.sh
@@ -8,7 +8,7 @@
 
 set -e
 
-BRIDGES_BRANCH="${BRANCH:-master}"
+BRIDGES_BRANCH="${BRANCH:-polkadot-staging}"
 BRIDGES_TARGET_DIR="${TARGET_DIR:-bridges}"
 
 function fetch() {