diff --git a/package.json b/package.json
index 174ff75..198210b 100644
--- a/package.json
+++ b/package.json
@@ -11,7 +11,7 @@
         "typescript": "^6.0.2",
         "vitest": "^4.1.2"
     },
-    "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319",
+    "packageManager": "pnpm@10.33.4",
     "devEngines": {
         "runtime": {
             "name": "node",
@@ -19,7 +19,8 @@
         },
         "packageManager": {
             "name": "pnpm",
-            "onFail": "error"
+            "version": "10.33.4",
+            "onFail": "warn"
         }
     }
 }
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index c2952c5..042d6ba 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -1,2 +1,7 @@
 packages:
   - execute-workflow
+
+# Supply-chain protection: require packages to be at least 24h old before pnpm will install them.
+# Mitigates compromised npm packages discovered and yanked within the first day (shai-hulud worm,
+# nx self-replicator, etc.). 1440 minutes = 24 hours.
+minimumReleaseAge: 1440