diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 1997a9be57..1b03457c90 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -3,7 +3,7 @@
 #
 repos:
 - repo: https://github.com/pre-commit/mirrors-clang-format
-  rev: 'v18.1.8'
+  rev: 'v19.1.4'
   hooks:
   - id: clang-format
     types_or:
@@ -18,7 +18,7 @@ repos:
       args: ["-w", "-i", "4", "-ci"]
 
 - repo: https://github.com/google/yapf
-  rev: v0.40.2
+  rev: v0.43.0
   hooks:
   - id: yapf
 
@@ -28,13 +28,13 @@ repos:
   - id: cmake-format
 
 - repo: https://github.com/crate-ci/typos
-  rev: v1.16.21
+  rev: v1.28.2
   hooks:
     - id: typos
-      exclude: '^(.typos.toml|src/SmithWaterman.cc|testing/.*|auxil/.*|scripts/base/frameworks/files/magic/.*|CHANGES)$'
+      exclude: '^(.typos.toml|src/SmithWaterman.cc|testing/.*|auxil/.*|scripts/base/frameworks/files/magic/.*|CHANGES|scripts/base/protocols/ssl/mozilla-ca-list.zeek)$'
 
 - repo: https://github.com/bbannier/spicy-format
-  rev: v0.20.0
+  rev: v0.22.0
   hooks:
     - id: spicy-format
       # TODO: Reformat existing large analyzers just before 8.0.
diff --git a/.typos.toml b/.typos.toml
index f8a512a8c3..4d74a52e7f 100644
--- a/.typos.toml
+++ b/.typos.toml
@@ -48,6 +48,15 @@ extend-ignore-identifiers-re = [
     "ND_ROUTER_.*",
     "ND_NEIGHBOR_.*",
     ".*_ND_option.*",
+    "bck", # Used with same length as `fwd`
+    "pn", # Use for `PoolNode` variables
+    "ffrom_[ip|port|mac]", # Used in netcontrol.
+    "complte_flag", # Existing use in exported record in base.
+    "VidP(n|N)", # In SMB.
+    "iin", # In DNP3.
+    "(ScValidatePnPService|ScSendPnPMessage)", # In DCE-RPC.
+    "snet", # Used as shorthand for subnet in base scripts.
+    "(e|i)it", # Used as name for some iterators.
 ]
 
 [default.extend-identifiers]
diff --git a/NEWS b/NEWS
index 550657d6ef..142f63c9ab 100644
--- a/NEWS
+++ b/NEWS
@@ -3859,7 +3859,7 @@ Removed Functionality
 
 - Functionality for writing/reading binary event streams was
   removed. This functionality relied on the old communication code
-  anc was basically untested. The ``-R`` command-line option (replay)
+  and was basically untested. The ``-R`` command-line option (replay)
   as well as the ``capture_events`` function were removed.
 
 - Removed p0f (passive OS fingerprinting) support. The version of
diff --git a/ci/test.sh b/ci/test.sh
index ff3935579a..adea2eb292 100755
--- a/ci/test.sh
+++ b/ci/test.sh
@@ -41,7 +41,7 @@ function banner {
 
 function run_unit_tests {
     if [[ ${ZEEK_CI_SKIP_UNIT_TESTS} -eq 1 ]]; then
-        printf "Skipping unit tests as requested by task configureation\n\n"
+        printf "Skipping unit tests as requested by task configuration\n\n"
         return 0
     fi
 
diff --git a/scripts/policy/protocols/ssl/certificate-request-info.zeek b/scripts/policy/protocols/ssl/certificate-request-info.zeek
index 2479df5efa..c318a94615 100644
--- a/scripts/policy/protocols/ssl/certificate-request-info.zeek
+++ b/scripts/policy/protocols/ssl/certificate-request-info.zeek
@@ -6,7 +6,7 @@
 module SSL;
 
 redef record SSL::Info += {
-	## List of cient certificate CAs accepted by the server
+	## List of client certificate CAs accepted by the server
 	requested_client_certificate_authorities: vector of string &optional &log;
 };
 
diff --git a/src/DNS_Mgr.cc b/src/DNS_Mgr.cc
index 2bb2ba435e..42948accef 100644
--- a/src/DNS_Mgr.cc
+++ b/src/DNS_Mgr.cc
@@ -318,7 +318,7 @@ static void addrinfo_cb(void* arg, int status, int timeouts, struct ares_addrinf
             // Push a null on the end so the addr list has a final point during later parsing.
             addrs.push_back(NULL);
 
-            struct hostent he {};
+            struct hostent he{};
             he.h_name = util::copy_string(result->name);
             he.h_addrtype = AF_INET;
             he.h_length = sizeof(in_addr);
@@ -333,7 +333,7 @@ static void addrinfo_cb(void* arg, int status, int timeouts, struct ares_addrinf
             // Push a null on the end so the addr list has a final point during later parsing.
             addrs6.push_back(NULL);
 
-            struct hostent he {};
+            struct hostent he{};
             he.h_name = util::copy_string(result->name);
             he.h_addrtype = AF_INET6;
             he.h_length = sizeof(in6_addr);
@@ -370,7 +370,7 @@ static void query_cb(void* arg, ares_status_t status, size_t timeouts, const are
         }
     }
     else {
-        struct hostent he {};
+        struct hostent he{};
 
         uint32_t ttl = 0;
         size_t rr_cnt = ares_dns_record_rr_cnt(dnsrec, ARES_SECTION_ANSWER);
diff --git a/src/Debug.cc b/src/Debug.cc
index 6609a3d256..66e11b5e50 100644
--- a/src/Debug.cc
+++ b/src/Debug.cc
@@ -417,7 +417,7 @@ int dbg_init_debugger(const char* cmdfile) {
         // ### Implement this
         debug_msg("Command files not supported. Using interactive mode.\n");
 
-        // ### if ( interactive ) (i.e., not reading cmds from a file)
+    // ### if ( interactive ) (i.e., not reading cmds from a file)
 #ifdef HAVE_READLINE
     init_readline();
 #endif
diff --git a/src/analyzer/protocol/ldap/ldap.spicy b/src/analyzer/protocol/ldap/ldap.spicy
index 0816e6afe9..14c3607c56 100644
--- a/src/analyzer/protocol/ldap/ldap.spicy
+++ b/src/analyzer/protocol/ldap/ldap.spicy
@@ -935,7 +935,7 @@ type SearchFilter = unit {
   };
 
   # So when you're done with recursively parsing the filters, we can now leverage the tree structure to
-  # recursively get the stringRepresentations for those leafs, which are SearchFilters
+  # recursively get the stringRepresentations for those leaves, which are SearchFilters
 
   on %done {
     self.stringRepresentation = string_representation(self);
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index aefdf2738c..2dab26e25a 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -308,9 +308,9 @@ void X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT*
     else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name )
         ParseSAN(ex);
 
-        // In OpenSSL 1.0.2+, we can get the extension by using NID_ct_precert_scts.
-        // In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually
-        // look it up by performing a string comparison on the oid.
+    // In OpenSSL 1.0.2+, we can get the extension by using NID_ct_precert_scts.
+    // In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually
+    // look it up by performing a string comparison on the oid.
 #ifdef NID_ct_precert_scts
     else if ( OBJ_obj2nid(ext_asn) == NID_ct_precert_scts )
 #else
diff --git a/src/input/Manager.cc b/src/input/Manager.cc
index 8a056c7621..989125b90f 100644
--- a/src/input/Manager.cc
+++ b/src/input/Manager.cc
@@ -1766,7 +1766,7 @@ RecordVal* Manager::ValueToRecordVal(const Stream* stream, const Value* const* v
             // them and has been warned by reporter.
             // Hence -> assign null to the field, done.
 
-            // Better check that it really is optional. Uou never know.
+            // Better check that it really is optional. You never know.
             assert(request_type->FieldDecl(i)->GetAttr(zeek::detail::ATTR_OPTIONAL));
         }
         else if ( ! vals[*position]->present && ! request_type->FieldDecl(i)->GetAttr(zeek::detail::ATTR_OPTIONAL) ) {
diff --git a/src/script_opt/CPP/RuntimeVec.cc b/src/script_opt/CPP/RuntimeVec.cc
index 62eed2dde2..fc5ccc6f1f 100644
--- a/src/script_opt/CPP/RuntimeVec.cc
+++ b/src/script_opt/CPP/RuntimeVec.cc
@@ -82,8 +82,7 @@ static VectorTypePtr base_vector_type__CPP(const VectorTypePtr& vt, bool is_bool
 // Instantiates a double_kernel for a given operation.
 #define VEC_OP1_WITH_DOUBLE(name, op)                                                                                  \
     VEC_OP1(                                                                                                           \
-        name, op, case TYPE_INTERNAL_DOUBLE                                                                            \
-        : {                                                                                                            \
+        name, op, case TYPE_INTERNAL_DOUBLE : {                                                                        \
             VEC_OP1_KERNEL(AsDouble, DoubleVal, op)                                                                    \
             break;                                                                                                     \
         })
diff --git a/src/script_opt/Stmt.cc b/src/script_opt/Stmt.cc
index 01c9a21e77..3e45161d7c 100644
--- a/src/script_opt/Stmt.cc
+++ b/src/script_opt/Stmt.cc
@@ -899,7 +899,7 @@ static bool simplify_chain(const std::vector<StmtPtr>& stmts, unsigned int start
 
     // An add-chain of any size is a win. For an assign-chain to be a win,
     // it needs to have at least two elements, because a single "x$a = y$b"
-    // can be expressed using one ZAM instructino (but "x$a += y$b" cannot).
+    // can be expressed using one ZAM instruction (but "x$a += y$b" cannot).
     if ( add_chains.empty() ) {
         bool have_useful_assign_chain = false;
         for ( auto& ac : assign_chains )
diff --git a/src/spicy/spicyz/driver.h b/src/spicy/spicyz/driver.h
index f6276ab0bf..a0228a4e45 100644
--- a/src/spicy/spicyz/driver.h
+++ b/src/spicy/spicyz/driver.h
@@ -146,7 +146,7 @@ public:
 
     /**
      * Parses options command-line style after Zeek-side scripts have been
-     * fully procssed. Most of the option processing happens here (vs. in
+     * fully processed. Most of the option processing happens here (vs. in
      * `parseOptionsPreScript()`) except for things that must be in place
      * already before script processing.
      *