diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b4073c8..1e0f48c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,21 +17,14 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Add Node.js (fnm) to PATH
-        run: echo "$HOME/.local/share/fnm/node-versions/v24.14.0/installation/bin" >> $GITHUB_PATH
-
-      - name: Enable pnpm via corepack
-        run: corepack enable pnpm
-
-
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: npm ci
 
       - name: Lint
-        run: pnpm run lint
+        run: npm run lint
 
       - name: Typecheck
-        run: pnpm run typecheck
+        run: npm run typecheck
 
   semgrep:
     name: Semgrep (SAST)
@@ -65,7 +58,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Trivy scan
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         with:
           scan-type: fs
           scan-ref: .
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 1db9c98..1d92cff 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -20,7 +20,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@v0.30.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         with:
           scan-type: fs
           scan-ref: .
diff --git a/.github/workflows/trivy-autofix.yml b/.github/workflows/trivy-autofix.yml
index 4b5eb88..8063338 100644
--- a/.github/workflows/trivy-autofix.yml
+++ b/.github/workflows/trivy-autofix.yml
@@ -16,7 +16,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Trivy vulnerability scan
-        uses: aquasecurity/trivy-action@v0.30.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         with:
           scan-type: fs
           scan-ref: .
@@ -44,10 +44,6 @@ jobs:
         if: steps.check.outputs.count != '0'
         run: echo "$HOME/.local/share/fnm/node-versions/v24.14.0/installation/bin" >> $GITHUB_PATH
 
-      - name: Enable pnpm via corepack
-        if: steps.check.outputs.count != '0'
-        run: corepack enable pnpm
-
       - name: Auto-fix CVEs via npm overrides
         if: steps.check.outputs.count != '0'
         run: |
@@ -71,6 +67,10 @@ jobs:
               f.write(chr(10))
           "
 
+      - name: Install dependencies after override patch
+        if: steps.check.outputs.count != '0'
+        run: npm install --package-lock-only
+
       - name: Create Pull Request
         if: steps.check.outputs.count != '0'
         uses: peter-evans/create-pull-request@v7