diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2bfffb47..740c0f9a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,12 @@ scheme restriction) live in `UPGRADE-NOTES.md` and are auto-appended to every
 1.4.6+ / 1.5.x release's notes by `scripts/append-upgrade-notes.mjs` (wired into
 `release-cut.yml`). Update that file — not this comment — when the notes change. -->
 
+### Security
+
+- **Documentation site (`apps/web`) js-yaml pinned to 4.2.0 ([GHSA-h67p-54hq-rp68](https://github.com/advisories/GHSA-h67p-54hq-rp68)).** `fumadocs-mdx` pulled js-yaml 4.1.1 transitively; an override forces the patched 4.2.0. Build-time dependency of the website only — not part of the shipped drydock image.
+
+- **E2E load-test harness `@opentelemetry/core` pinned to 2.8.0 ([CVE-2026-54285](https://github.com/advisories/GHSA-8988-4f7v-96qf)).** artillery pulled `@opentelemetry/core` 2.7.1 transitively, vulnerable to unbounded memory allocation in W3C Baggage propagation; an override forces the patched 2.8.0. Test-only dependency — not part of the shipped drydock image.
+
 ## [1.5.0-rc.37] — 2026-06-15
 
 ### Security
diff --git a/apps/web/package-lock.json b/apps/web/package-lock.json
index 3b9a7db7..0cf36d86 100644
--- a/apps/web/package-lock.json
+++ b/apps/web/package-lock.json
@@ -3976,9 +3976,19 @@
       }
     },
     "node_modules/js-yaml": {
-      "version": "4.1.1",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
-      "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.2.0.tgz",
+      "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/puzrin"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/nodeca"
+        }
+      ],
       "license": "MIT",
       "dependencies": {
         "argparse": "^2.0.1"
diff --git a/apps/web/package.json b/apps/web/package.json
index ad8a52ae..fa841407 100644
--- a/apps/web/package.json
+++ b/apps/web/package.json
@@ -50,6 +50,7 @@
   },
   "overrides": {
     "postcss": "8.5.10",
-    "esbuild": "0.28.1"
+    "esbuild": "0.28.1",
+    "js-yaml": "4.2.0"
   }
 }
diff --git a/e2e/package-lock.json b/e2e/package-lock.json
index 5439e4e1..2f9a1f12 100644
--- a/e2e/package-lock.json
+++ b/e2e/package-lock.json
@@ -2423,9 +2423,9 @@
       }
     },
     "node_modules/@opentelemetry/core": {
-      "version": "2.7.1",
-      "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.7.1.tgz",
-      "integrity": "sha512-QAqIj32AtK6+pEVNG7EOVxHdE06RP+FM5qpiEJ4RtDcFIqKUZHYhl7/7UY5efhwmwNAg7j8QbJVBLxMerc0+gw==",
+      "version": "2.8.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.8.0.tgz",
+      "integrity": "sha512-hd1Lfh8p545nNz+jq1Ejfz+Mn1hyLuxYn1YzTfFNrxr8urEWMNQLPf1Th8kjOH+HxwawCrtgBp8JpBUR4ZSgww==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
diff --git a/e2e/package.json b/e2e/package.json
index 583edfdd..18479456 100644
--- a/e2e/package.json
+++ b/e2e/package.json
@@ -46,6 +46,7 @@
     "ws": "8.21.0",
     "yaml": "2.8.3",
     "form-data": "4.0.6",
-    "protobufjs": "7.6.3"
+    "protobufjs": "7.6.3",
+    "@opentelemetry/core": "2.8.0"
   }
 }