diff --git a/.github/actions/nightly-release/action.yaml b/.github/actions/nightly-release/action.yaml
index bba13a955f0..48cdff56e18 100644
--- a/.github/actions/nightly-release/action.yaml
+++ b/.github/actions/nightly-release/action.yaml
@@ -31,7 +31,9 @@ runs:
         go-version: "${{ inputs.go }}"
 
     - name: goreleaser
-      uses: goreleaser/goreleaser-action@v5
+      # Use commit hash here to avoid a re-tagging attack, as this is a third-party action
+      # Commit 5742e2a039330cbb23ebf35f046f814d4c6ff811 = tag v5
+      uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811
       with:
         workdir: "${{ inputs.workdir }}"
         version: latest
@@ -49,9 +51,9 @@ runs:
       shell: bash
       run: |
         NDATE=$(date +%Y%m%d)
-    
+
         docker tag synadia/nats-server:nightly-${NDATE} synadia/nats-server:${{ inputs.label }}-${NDATE}
         docker tag synadia/nats-server:nightly-${NDATE} synadia/nats-server:${{ inputs.label }}
-    
+
         docker push synadia/nats-server:${{ inputs.label }}-${NDATE}
         docker push synadia/nats-server:${{ inputs.label }}
diff --git a/.github/workflows/cov.yaml b/.github/workflows/cov.yaml
index 773b44dd635..8375b58d365 100644
--- a/.github/workflows/cov.yaml
+++ b/.github/workflows/cov.yaml
@@ -33,13 +33,17 @@ jobs:
           set +e
 
       - name: Convert coverage.out to coverage.lcov
-        uses: jandelgado/gcov2lcov-action@v1.0.9
+        # Use commit hash here to avoid a re-tagging attack, as this is a third-party action
+        # Commit c680c0f7c7442485f1749eb2a13e54a686e76eb5 = tag v1.0.9
+        uses: jandelgado/gcov2lcov-action@c680c0f7c7442485f1749eb2a13e54a686e76eb5
         with:
           infile: acc.out
           working-directory: src/github.com/nats-io/nats-server
 
       - name: Coveralls
-        uses: coverallsapp/github-action@v2
+        # Use commit hash here to avoid a re-tagging attack, as this is a third-party action
+        # Commit 3dfc5567390f6fa9267c0ee9c251e4c8c3f18949 = tag v2
+        uses: coverallsapp/github-action@3dfc5567390f6fa9267c0ee9c251e4c8c3f18949
         with:
           github-token: ${{ secrets.github_token }}
           file: src/github.com/nats-io/nats-server/coverage.lcov
diff --git a/server/certstore/certstore_windows.go b/server/certstore/certstore_windows.go
index 57adc187abf..19b9567be73 100644
--- a/server/certstore/certstore_windows.go
+++ b/server/certstore/certstore_windows.go
@@ -115,19 +115,38 @@ var (
 	winMyStore = winWide("MY")
 
 	// These DLLs must be available on all Windows hosts
-	winCrypt32 = windows.MustLoadDLL("crypt32.dll")
-	winNCrypt  = windows.MustLoadDLL("ncrypt.dll")
+	winCrypt32 = windows.NewLazySystemDLL("crypt32.dll")
+	winNCrypt  = windows.NewLazySystemDLL("ncrypt.dll")
 
-	winCertFindCertificateInStore        = winCrypt32.MustFindProc("CertFindCertificateInStore")
-	winCryptAcquireCertificatePrivateKey = winCrypt32.MustFindProc("CryptAcquireCertificatePrivateKey")
-	winNCryptExportKey                   = winNCrypt.MustFindProc("NCryptExportKey")
-	winNCryptOpenStorageProvider         = winNCrypt.MustFindProc("NCryptOpenStorageProvider")
-	winNCryptGetProperty                 = winNCrypt.MustFindProc("NCryptGetProperty")
-	winNCryptSignHash                    = winNCrypt.MustFindProc("NCryptSignHash")
+	winCertFindCertificateInStore        = winCrypt32.NewProc("CertFindCertificateInStore")
+	winCryptAcquireCertificatePrivateKey = winCrypt32.NewProc("CryptAcquireCertificatePrivateKey")
+	winNCryptExportKey                   = winNCrypt.NewProc("NCryptExportKey")
+	winNCryptOpenStorageProvider         = winNCrypt.NewProc("NCryptOpenStorageProvider")
+	winNCryptGetProperty                 = winNCrypt.NewProc("NCryptGetProperty")
+	winNCryptSignHash                    = winNCrypt.NewProc("NCryptSignHash")
 
 	winFnGetProperty = winGetProperty
 )
 
+func init() {
+	for _, d := range []*windows.LazyDLL{
+		winCrypt32, winNCrypt,
+	} {
+		if err := d.Load(); err != nil {
+			panic(err)
+		}
+	}
+	for _, p := range []*windows.LazyProc{
+		winCertFindCertificateInStore, winCryptAcquireCertificatePrivateKey,
+		winNCryptExportKey, winNCryptOpenStorageProvider,
+		winNCryptGetProperty, winNCryptSignHash,
+	} {
+		if err := p.Find(); err != nil {
+			panic(err)
+		}
+	}
+}
+
 type winPKCS1PaddingInfo struct {
 	pszAlgID *uint16
 }
diff --git a/server/jetstream_cluster_4_test.go b/server/jetstream_cluster_4_test.go
index 3dbb5bccdb7..a9331472c4b 100644
--- a/server/jetstream_cluster_4_test.go
+++ b/server/jetstream_cluster_4_test.go
@@ -2913,27 +2913,26 @@ func TestJetStreamClusterKeyValueLastSeqMismatch(t *testing.T) {
 	nc, js := jsClientConnect(t, c.randomServer())
 	defer nc.Close()
 
-	kv, err := js.CreateKeyValue(&nats.KeyValueConfig{
-		Bucket:   "mismatch",
-		Replicas: 3,
-	})
-	require_NoError(t, err)
-
-	revision, err := kv.Create("foo", []byte("1"))
-	require_NoError(t, err)
-	require_Equal(t, revision, 1)
+	for _, r := range []int{1, 3} {
+		t.Run(fmt.Sprintf("R=%d", r), func(t *testing.T) {
+			kv, err := js.CreateKeyValue(&nats.KeyValueConfig{
+				Bucket:   fmt.Sprintf("mismatch_%v", r),
+				Replicas: r,
+			})
+			require_NoError(t, err)
 
-	revision, err = kv.Create("bar", []byte("2"))
-	require_NoError(t, err)
-	require_Equal(t, revision, 2)
+			revision, err := kv.Create("foo", []byte("1"))
+			require_NoError(t, err)
+			require_Equal(t, revision, 1)
 
-	// Now delete foo from sequence 1.
-	// This needs to be low level remove (or system level) to test the condition we want here.
-	err = js.DeleteMsg("KV_mismatch", 1)
-	require_Error(t, err)
+			revision, err = kv.Create("bar", []byte("2"))
+			require_NoError(t, err)
+			require_Equal(t, revision, 2)
 
-	// Now say we want to update baz but iff last was revision 1.
-	_, err = kv.Update("baz", []byte("3"), uint64(1))
-	require_Error(t, err)
-	require_Equal(t, err.Error(), `nats: wrong last sequence: 0`)
+			// Now say we want to update baz but iff last was revision 1.
+			_, err = kv.Update("baz", []byte("3"), uint64(1))
+			require_Error(t, err)
+			require_Equal(t, err.Error(), `nats: wrong last sequence: 0`)
+		})
+	}
 }
diff --git a/server/pse/pse_windows.go b/server/pse/pse_windows.go
index 5ee9645f3f7..04e3ae8bb9b 100644
--- a/server/pse/pse_windows.go
+++ b/server/pse/pse_windows.go
@@ -25,10 +25,12 @@ import (
 	"syscall"
 	"time"
 	"unsafe"
+
+	"golang.org/x/sys/windows"
 )
 
 var (
-	pdh                            = syscall.NewLazyDLL("pdh.dll")
+	pdh                            = windows.NewLazySystemDLL("pdh.dll")
 	winPdhOpenQuery                = pdh.NewProc("PdhOpenQuery")
 	winPdhAddCounter               = pdh.NewProc("PdhAddCounterW")
 	winPdhCollectQueryData         = pdh.NewProc("PdhCollectQueryData")
@@ -36,6 +38,20 @@ var (
 	winPdhGetFormattedCounterArray = pdh.NewProc("PdhGetFormattedCounterArrayW")
 )
 
+func init() {
+	if err := pdh.Load(); err != nil {
+		panic(err)
+	}
+	for _, p := range []*windows.LazyProc{
+		winPdhOpenQuery, winPdhAddCounter, winPdhCollectQueryData,
+		winPdhGetFormattedCounterValue, winPdhGetFormattedCounterArray,
+	} {
+		if err := p.Find(); err != nil {
+			panic(err)
+		}
+	}
+}
+
 // global performance counter query handle and counters
 var (
 	pcHandle                                       PDH_HQUERY
diff --git a/server/stream.go b/server/stream.go
index cdcf6e6aa01..fefbc1f11dd 100644
--- a/server/stream.go
+++ b/server/stream.go
@@ -4400,7 +4400,7 @@ func (mset *stream) processJetStreamMsg(subject, reply string, hdr, msg []byte,
 			if err == ErrStoreMsgNotFound {
 				if seq == 0 {
 					fseq, err = 0, nil
-				} else {
+				} else if mset.isClustered() {
 					// Do not bump clfs in case message was not found and could have been deleted.
 					var ss StreamState
 					store.FastState(&ss)
diff --git a/server/sysmem/mem_windows.go b/server/sysmem/mem_windows.go
index cc4c43dc95b..f557c0b8ee1 100644
--- a/server/sysmem/mem_windows.go
+++ b/server/sysmem/mem_windows.go
@@ -17,10 +17,23 @@
 package sysmem
 
 import (
-	"syscall"
 	"unsafe"
+
+	"golang.org/x/sys/windows"
 )
 
+var winKernel32 = windows.NewLazySystemDLL("kernel32.dll")
+var winGlobalMemoryStatusEx = winKernel32.NewProc("GlobalMemoryStatusEx")
+
+func init() {
+	if err := winKernel32.Load(); err != nil {
+		panic(err)
+	}
+	if err := winGlobalMemoryStatusEx.Find(); err != nil {
+		panic(err)
+	}
+}
+
 // https://docs.microsoft.com/en-us/windows/win32/api/sysinfoapi/ns-sysinfoapi-memorystatusex
 type _memoryStatusEx struct {
 	dwLength     uint32
@@ -30,16 +43,8 @@ type _memoryStatusEx struct {
 }
 
 func Memory() int64 {
-	kernel32, err := syscall.LoadDLL("kernel32.dll")
-	if err != nil {
-		return 0
-	}
-	globalMemoryStatusEx, err := kernel32.FindProc("GlobalMemoryStatusEx")
-	if err != nil {
-		return 0
-	}
 	msx := &_memoryStatusEx{dwLength: 64}
-	res, _, _ := globalMemoryStatusEx.Call(uintptr(unsafe.Pointer(msx)))
+	res, _, _ := winGlobalMemoryStatusEx.Call(uintptr(unsafe.Pointer(msx)))
 	if res == 0 {
 		return 0
 	}