diff --git a/src/oidc.js b/src/oidc.js
index b2117ab90..def682304 100644
--- a/src/oidc.js
+++ b/src/oidc.js
@@ -184,7 +184,7 @@ async function revokeByUserId(userId) {
     function revokeObjects(modelName) {
         load(modelName);
 
-        for (let id in DATA_STORE[modelName]) {
+        for (const id in DATA_STORE[modelName]) {
             if (DATA_STORE[modelName][id].payload?.accountId === userId) delete DATA_STORE[modelName][id];
         }
 
@@ -379,7 +379,7 @@ class CloudronAdapter {
         if (this.name === 'Client' || this.name === 'AccessToken') {
             debug('findByUid: this should not happen as it is stored in our db');
         } else {
-            for (let d in DATA_STORE[this.name]) {
+            for (const d in DATA_STORE[this.name]) {
                 if (DATA_STORE[this.name][d].payload.uid === uid) return DATA_STORE[this.name][d].payload;
             }
 
@@ -446,7 +446,7 @@ class CloudronAdapter {
         if (this.name === 'Client') {
             debug('revokeByGrantId: this should not happen as it is stored in our db');
         } else {
-            for (let d in DATA_STORE[this.name]) {
+            for (const d in DATA_STORE[this.name]) {
                 if (DATA_STORE[this.name][d].grantId === grantId) {
                     delete DATA_STORE[this.name][d];
                     return save(this.name);
diff --git a/src/updater.js b/src/updater.js
index 165ddf7c4..3aa7a0852 100644
--- a/src/updater.js
+++ b/src/updater.js
@@ -184,7 +184,7 @@ async function checkUpdateRequirements(boxUpdateInfo) {
 
     const result = await apps.list();
 
-    for (let app of result) {
+    for (const app of result) {
         const maxBoxVersion = app.manifest.maxBoxVersion;
         if (semver.valid(maxBoxVersion) && semver.gt(boxUpdateInfo.version, maxBoxVersion)) {
             throw new BoxError(BoxError.BAD_STATE, `Cannot update to v${boxUpdateInfo.version} because ${app.fqdn} has a maxBoxVersion of ${maxBoxVersion}`);