diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index a414bde9..825632dc 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -11,11 +11,19 @@ catalogs:
       version: 0.1.24
 
 overrides:
-  esbuild: 0.28.1
-  js-yaml: 4.2.0
   vite: npm:@voidzero-dev/vite-plus-core@latest
   vitest: npm:@voidzero-dev/vite-plus-test@latest
-  ws: 8.21.0
+  miniflare>ws: 8.21.0
+  storybook>ws: 8.21.0
+  '@vitest/browser>ws': 8.21.0
+  '@voidzero-dev/vite-plus-test>ws': 8.21.0
+  '@changesets/parse>js-yaml': 4.2.0
+  read-yaml-file>js-yaml: 4.2.0
+  storybook>esbuild: 0.28.1
+  '@storybook/csf-plugin>esbuild': 0.28.1
+  vite>esbuild: 0.28.1
+  '@voidzero-dev/vite-plus-core>esbuild': 0.28.1
+  wrangler>esbuild: 0.28.1
 
 importers:
 
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index f613d1c4..bd9403db 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -13,11 +13,23 @@ catalog:
   vite-plus: latest
 
 overrides:
-  esbuild: 0.28.1
-  js-yaml: 4.2.0
   vite: "catalog:"
   vitest: "catalog:"
-  ws: 8.21.0
+  # Transitive Dependabot security pins, scoped to the specific chains that pull the
+  # vulnerable versions so the override can't silently apply to a future or runtime
+  # dependency path. Regenerate the lockfile after editing, and keep these in sync with
+  # the chains reported by the lockfile (search the snapshots for the package).
+  "miniflare>ws": 8.21.0
+  "storybook>ws": 8.21.0
+  "@vitest/browser>ws": 8.21.0
+  "@voidzero-dev/vite-plus-test>ws": 8.21.0
+  "@changesets/parse>js-yaml": 4.2.0
+  "read-yaml-file>js-yaml": 4.2.0
+  "storybook>esbuild": 0.28.1
+  "@storybook/csf-plugin>esbuild": 0.28.1
+  "vite>esbuild": 0.28.1
+  "@voidzero-dev/vite-plus-core>esbuild": 0.28.1
+  "wrangler>esbuild": 0.28.1
 
 peerDependencyRules:
   allowAny: