diff --git a/.cirrus.yml b/.cirrus.yml
index 6d81f20090..a9557a83e1 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -376,6 +376,7 @@ ubuntu22_spicy_head_task:
   << : *CI_TEMPLATE
   env:
     ZEEK_CI_CREATE_ARTIFACT: 1
+    ZEEK_CI_CONFIGURE_FLAGS: *SPICY_SSL_CONFIG
     # Pull auxil/spicy to the latest head version. May or may not build.
     ZEEK_CI_PREBUILD_COMMAND: 'cd auxil/spicy && git fetch && git reset --hard origin/main && git submodule update --init --recursive'
   spicy_install_analyzers_script: ./ci/spicy-install-analyzers.sh
diff --git a/CHANGES b/CHANGES
index b3d6ee3cb0..c213b9d0c7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,29 @@
+8.0.0-dev.439 | 2025-06-18 13:12:59 +0200
+
+  * Enable Spicy SSL analyzer in nightly CI job against Spicy `HEAD` (Benjamin Bannier, Corelight)
+
+  * Clean up use of references in Spicy SSL analyzer (Benjamin Bannier, Corelight)
+
+    The Spicy SSL analyzer was using references pretty heavily, probably to
+    work around now fixed issues with `inout` parameters in older Spicy
+    versions. At least for units this seems not needed anymore, and was also
+    partially incorrect, e.g., the Spicy docs call out that when using
+    `inout` parameters, passed and expected types should match exactly so
+    passing a reference as an `inout` value seems incorrect. Additionally,
+    one use case for references in Spicy is to use their interior
+    mutability, i.e., a reference never needs to be passed `inout` since
+    their can always be mutated.
+
+    Internally units are stored as reference-counted values, and references
+    to units are not much cheaper since they also need to be refcounted.
+    With that there seems litle reason to use references in this analyzer at
+    all, and this patch drops their use completely; instead we either pass
+    values, or values declared `inout`.
+
+    We leave the use of references for sharing sinks in place.
+
+  * GH-2091: Add workaround for zeek/spicy#2091 (Benjamin Bannier, Corelight)
+
 8.0.0-dev.435 | 2025-06-17 09:25:30 +0200
 
   * GH-4573: IOSource: Remove IsPacketSource (Arne Welzel, Corelight)
diff --git a/VERSION b/VERSION
index f720a2d61b..a15bb67712 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-8.0.0-dev.435
+8.0.0-dev.439
diff --git a/src/analyzer/protocol/ssl/spicy/SSL.spicy b/src/analyzer/protocol/ssl/spicy/SSL.spicy
index 826a8ec7e6..ee50442cb3 100644
--- a/src/analyzer/protocol/ssl/spicy/SSL.spicy
+++ b/src/analyzer/protocol/ssl/spicy/SSL.spicy
@@ -862,16 +862,16 @@ type Heartbeat = unit(sh: Share, length: uint16) {
 };
 
 # note - this will mostly be garbage because it is encrypted.
-public type Alert = unit(sh: Share&) {
+public type Alert = unit(sh: Share) {
     alerts: Alert_message(sh)[];
 };
 
-type Alert_message = unit(sh: Share&) {
+type Alert_message = unit(sh: Share) {
     level: uint8; # &convert=AlertLevel($$);
     description: uint8; # &convert=AlertDescription($$);
 };
 
-type Handshake = unit(inout msg: Message, sh: Share&) {
+type Handshake = unit(inout msg: Message, inout sh: Share) {
     handshakes: Handshake_message(msg, sh)[];
 };