diff --git a/CHANGELOG.md b/CHANGELOG.md
index fbe675c6c..f5bcce0d6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,14 @@
 # Changelog
+
+## 4.0.5
+**Maintenance:**
+- Framework: esi, fragments not used so disable
+- Security upgrades are installed
+
+**Bugfixes:**
+- SMS prove possession route not found #288
+- Repair return type inconsistency in recovery token trait #287
+
 ## 4.0.4
 - Support self-vetting using a self-asserted token #284
 
diff --git a/composer.lock b/composer.lock
index f1d051996..c6b0ae5a2 100644
--- a/composer.lock
+++ b/composer.lock
@@ -2233,16 +2233,16 @@
         },
         {
             "name": "phpseclib/phpseclib",
-            "version": "3.0.18",
+            "version": "3.0.19",
             "source": {
                 "type": "git",
                 "url": "https://github.com/phpseclib/phpseclib.git",
-                "reference": "f28693d38ba21bb0d9f0c411ee5dae2b178201da"
+                "reference": "cc181005cf548bfd8a4896383bb825d859259f95"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://github.com/repos/phpseclib/phpseclib/zipball/f28693d38ba21bb0d9f0c411ee5dae2b178201da",
-                "reference": "f28693d38ba21bb0d9f0c411ee5dae2b178201da",
+                "url": "https://github.com/repos/phpseclib/phpseclib/zipball/cc181005cf548bfd8a4896383bb825d859259f95",
+                "reference": "cc181005cf548bfd8a4896383bb825d859259f95",
                 "shasum": ""
             },
             "require": {
@@ -2323,7 +2323,7 @@
             ],
             "support": {
                 "issues": "https://github.com/phpseclib/phpseclib/issues",
-                "source": "https://github.com/phpseclib/phpseclib/tree/3.0.18"
+                "source": "https://github.com/phpseclib/phpseclib/tree/3.0.19"
             },
             "funding": [
                 {
@@ -2339,7 +2339,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2022-12-17T18:26:50+00:00"
+            "time": "2023-03-05T17:13:09+00:00"
         },
         {
             "name": "psr/cache",
diff --git a/config/packages/framework.yaml b/config/packages/framework.yaml
index 4bd86311e..fb4790e60 100644
--- a/config/packages/framework.yaml
+++ b/config/packages/framework.yaml
@@ -1,5 +1,5 @@
 framework:
-  #esi:             ~
+  esi:             false
   secret:          "%secret%"
   form:            ~
   csrf_protection: ~
@@ -13,5 +13,5 @@ framework:
     name: sess_selfservice
     cookie_httponly: true
     cookie_secure: true
-  fragments:       ~
+  fragments:       false
   http_method_override: true
diff --git a/package.json b/package.json
index 376040e9a..7a63cbe67 100644
--- a/package.json
+++ b/package.json
@@ -21,7 +21,7 @@
         "ts-jest": "^27",
         "ts-loader": "^9.0",
         "typescript": "^4",
-        "webpack": "^5.75.0",
+        "webpack": "^5.76.0",
         "webpack-cli": "^5.0.0",
         "webpack-import-glob-loader": "^1.6.3"
     },
diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/RecoveryTokenControllerTrait.php b/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/RecoveryTokenControllerTrait.php
index cc241f668..ab6f544c0 100644
--- a/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/RecoveryTokenControllerTrait.php
+++ b/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/RecoveryTokenControllerTrait.php
@@ -73,7 +73,8 @@ private function handleSmsChallenge(
 
             if ($otpRequestsRemaining === 0) {
                 $this->addFlash('error', 'ss.prove_phone_possession.challenge_request_limit_reached');
-                return array_merge(['form' => $form->createView()], $viewVariables);
+                $parameters = array_merge(['form' => $form->createView()], $viewVariables);
+                return $this->render($templateName, $parameters);
             }
 
             if ($this->smsService->sendChallenge($command)) {
diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/Registration/SmsController.php b/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/Registration/SmsController.php
index 646ce7c39..030523f8f 100644
--- a/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/Registration/SmsController.php
+++ b/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/Registration/SmsController.php
@@ -46,7 +46,11 @@ public function sendChallengeAction(Request $request)
         $service = $this->get('surfnet_stepup_self_service_self_service.service.sms_second_factor');
         $otpRequestsRemaining = $service->getOtpRequestsRemainingCount(SmsSecondFactorServiceInterface::REGISTRATION_SECOND_FACTOR_ID);
         $maximumOtpRequests = $service->getMaximumOtpRequestsCount();
-        $viewVariables = ['otpRequestsRemaining' => $otpRequestsRemaining, 'maximumOtpRequests' => $maximumOtpRequests];
+        $viewVariables = [
+            'otpRequestsRemaining' => $otpRequestsRemaining,
+            'maximumOtpRequests' => $maximumOtpRequests,
+            'verifyEmail' => $this->emailVerificationIsRequired(),
+        ];
 
         if ($form->isSubmitted() && $form->isValid()) {
             $command->identity = $identity->id;
@@ -67,7 +71,6 @@ public function sendChallengeAction(Request $request)
         return array_merge(
             [
                 'form' => $form->createView(),
-                'verifyEmail' => $this->emailVerificationIsRequired(),
             ],
             $viewVariables
         );
diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/config/routing.yml b/src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/config/routing.yml
index c7ff81c7a..e025f7169 100644
--- a/src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/config/routing.yml
+++ b/src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/config/routing.yml
@@ -130,6 +130,11 @@ ss_registration_sms_send_challenge:
     methods:  [GET,POST]
     defaults: { _controller: SurfnetStepupSelfServiceSelfServiceBundle:Registration/Sms:sendChallenge }
 
+ss_registration_sms_prove_possession:
+    path:     /registration/sms/prove-possession
+    methods:  [GET,POST]
+    defaults: { _controller: SurfnetStepupSelfServiceSelfServiceBundle:Registration/Sms:provePossession }
+
 ss_registration_gssf_status_report:
     path:     /registration/gssf/{provider}/status
     methods:  [GET]
diff --git a/yarn.lock b/yarn.lock
index 2baf16b4b..390cb4069 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -6587,10 +6587,10 @@ webpack-sources@^3.2.3:
   resolved "https://registry.yarnpkg.com/webpack-sources/-/webpack-sources-3.2.3.tgz#2d4daab8451fd4b240cc27055ff6a0c2ccea0cde"
   integrity sha512-/DyMEOrDgLKKIG0fmvtz+4dUX/3Ghozwgm6iPp8KRhvn+eQf9+Q7GWxVNMk3+uCPWfdXYC4ExGBckIXdFEfH1w==
 
-webpack@^5.75.0:
-  version "5.75.0"
-  resolved "https://registry.yarnpkg.com/webpack/-/webpack-5.75.0.tgz#1e440468647b2505860e94c9ff3e44d5b582c152"
-  integrity sha512-piaIaoVJlqMsPtX/+3KTTO6jfvrSYgauFVdt8cr9LTHKmcq/AMd4mhzsiP7ZF/PGRNPGA8336jldh9l2Kt2ogQ==
+webpack@^5.76.0:
+  version "5.76.0"
+  resolved "https://registry.yarnpkg.com/webpack/-/webpack-5.76.0.tgz#f9fb9fb8c4a7dbdcd0d56a98e56b8a942ee2692c"
+  integrity sha512-l5sOdYBDunyf72HW8dF23rFtWq/7Zgvt/9ftMof71E/yUb1YLOBmTgA2K4vQthB3kotMrSj609txVE0dnr2fjA==
   dependencies:
     "@types/eslint-scope" "^3.7.3"
     "@types/estree" "^0.0.51"