diff --git a/northstar-runtime/Cargo.toml b/northstar-runtime/Cargo.toml
index 9c36fbd9d..fd687d310 100644
--- a/northstar-runtime/Cargo.toml
+++ b/northstar-runtime/Cargo.toml
@@ -59,7 +59,7 @@ toml = { version = "0.8.14", optional = true }
 umask = { version = "2.1.0", optional = true }
 url = { version = "2.5.0", features = ["serde"], optional = true }
 uuid = { version = "1.7.0", features = ["v4"], optional = true }
-validator = { version = "0.16.1", features = ["derive"] }
+validator = { version = "0.18.1", features = ["derive"] }
 zeroize = { version = "1.7.0", optional = true }
 zip = { version = "0.6.6", default-features = false, optional = true }
 
diff --git a/northstar-runtime/src/common/non_nul_string.rs b/northstar-runtime/src/common/non_nul_string.rs
index 3a1be0979..c922af3ee 100644
--- a/northstar-runtime/src/common/non_nul_string.rs
+++ b/northstar-runtime/src/common/non_nul_string.rs
@@ -7,7 +7,6 @@ use std::{
     path::Path,
 };
 use thiserror::Error;
-use validator::HasLen;
 
 /// String that does not contain null bytes
 #[derive(Clone, Eq, PartialOrd, Ord, PartialEq, Hash)]
@@ -150,13 +149,6 @@ impl<'de> Deserialize<'de> for NonNulString {
     }
 }
 
-/// Implement HasLen for NonNulString to allow validation of the length.
-impl HasLen for &NonNulString {
-    fn length(&self) -> u64 {
-        self.0.len() as u64
-    }
-}
-
 #[test]
 fn try_from() {
     assert!(NonNulString::try_from("hello").is_ok());
diff --git a/northstar-runtime/src/npk/manifest/mod.rs b/northstar-runtime/src/npk/manifest/mod.rs
index 93effb736..ce4441563 100644
--- a/northstar-runtime/src/npk/manifest/mod.rs
+++ b/northstar-runtime/src/npk/manifest/mod.rs
@@ -101,7 +101,7 @@ pub struct Manifest {
     pub args: Vec<NonNulString>,
     /// Environment passed to container
     #[serde(default, skip_serializing_if = "HashMap::is_empty")]
-    #[validate(custom = "validate_env")]
+    #[validate(custom(function = "validate_env"))]
     pub env: HashMap<NonNulString, NonNulString>,
     /// UID
     #[validate(range(min = 1, message = "uid must be greater than 0"))]
@@ -110,7 +110,7 @@ pub struct Manifest {
     #[validate(range(min = 1, message = "gid must be greater than 0"))]
     pub gid: u16,
     /// Scheduling parameter.
-    #[validate]
+    #[validate(nested)]
     pub sched: Option<sched::Sched>,
     /// List of bind mounts and resources
     #[serde(
@@ -118,20 +118,20 @@ pub struct Manifest {
         skip_serializing_if = "HashMap::is_empty",
         deserialize_with = "maps_duplicate_key_is_error::deserialize"
     )]
-    #[validate(custom = "mount::validate")]
+    #[validate(custom(function = "mount::validate"))]
     pub mounts: HashMap<mount::MountPoint, mount::Mount>,
     /// Autostart this container upon northstar startup
     pub autostart: Option<autostart::Autostart>,
     /// CGroup configuration
     pub cgroups: Option<self::cgroups::CGroups>,
     /// Network configuration. Unshare the network if omitted.
-    #[validate(custom = "network::validate")]
+    #[validate(custom(function = "network::validate"))]
     pub network: Option<Network>,
     /// Seccomp configuration
-    #[validate(custom = "seccomp::validate")]
+    #[validate(custom(function = "seccomp::validate"))]
     pub seccomp: Option<Seccomp>,
     /// SELinux configuration
-    #[validate]
+    #[validate(nested)]
     pub selinux: Option<selinux::Selinux>,
     /// Capabilities
     #[serde(
@@ -146,7 +146,7 @@ pub struct Manifest {
         skip_serializing_if = "HashSet::is_empty",
         deserialize_with = "sets_duplicate_value_is_error::deserialize"
     )]
-    #[validate(custom = "validate_suppl_groups")]
+    #[validate(custom(function = "validate_suppl_groups"))]
     pub suppl_groups: HashSet<NonNulString>,
     /// Resource limits
     #[serde(
diff --git a/northstar-runtime/src/npk/manifest/sched.rs b/northstar-runtime/src/npk/manifest/sched.rs
index a1482c0e3..7409cfc47 100644
--- a/northstar-runtime/src/npk/manifest/sched.rs
+++ b/northstar-runtime/src/npk/manifest/sched.rs
@@ -36,7 +36,7 @@ pub enum Policy {
 #[serde(rename_all = "snake_case")]
 pub struct Sched {
     /// Scheduling policy.
-    #[validate(custom = "validate_policy")]
+    #[validate(custom(function = "validate_policy"))]
     pub policy: Policy,
 }
 
diff --git a/northstar-runtime/src/npk/manifest/selinux.rs b/northstar-runtime/src/npk/manifest/selinux.rs
index dc9c1b0ed..bf7f94568 100644
--- a/northstar-runtime/src/npk/manifest/selinux.rs
+++ b/northstar-runtime/src/npk/manifest/selinux.rs
@@ -8,10 +8,10 @@ use crate::common::non_nul_string::NonNulString;
 #[serde(deny_unknown_fields)]
 pub struct Selinux {
     /// Default SE label (mount option context=...).
-    #[validate(custom = "validate_context")]
+    #[validate(custom(function = "validate_context"))]
     pub mount_context: Option<NonNulString>,
     /// SE context for the execve call from init.
-    #[validate(custom = "validate_context")]
+    #[validate(custom(function = "validate_context"))]
     pub exec: Option<NonNulString>,
 }