diff --git a/.github/workflows/eval.yaml b/.github/workflows/eval.yaml
index 15b1277..80035a0 100644
--- a/.github/workflows/eval.yaml
+++ b/.github/workflows/eval.yaml
@@ -28,11 +28,14 @@ jobs:
         with:
           node-version: 22
 
-      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        with:
+          version: 10.33.0
 
       - name: Install Dependencies
         id: install
-        run: pnpm install
+        run: pnpm install --frozen-lockfile
 
       - name: Build packages
         id: build
diff --git a/.github/workflows/js.yaml b/.github/workflows/js.yaml
index 1ac13a4..da03f4f 100644
--- a/.github/workflows/js.yaml
+++ b/.github/workflows/js.yaml
@@ -29,8 +29,11 @@ jobs:
         uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1
         with:
           node-version: ${{ matrix.node-version }}
-      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-      - run: pnpm install
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        with:
+          version: 10.33.0
+      - run: pnpm install --frozen-lockfile
       - run: pnpm run test
         env:
           OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
diff --git a/CLAUDE.md b/CLAUDE.md
index d17cb16..3853737 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -11,9 +11,9 @@ Autoevals is a dual-language library (TypeScript + Python) for evaluating AI mod
 ### TypeScript (in root directory)
 
 ```bash
-pnpm install          # Install dependencies
-pnpm run build        # Build JS (outputs to jsdist/)
-pnpm run test         # Run all JS tests with vitest
+pnpm install --frozen-lockfile          # Install dependencies
+pnpm run build                          # Build JS (outputs to jsdist/)
+pnpm run test                           # Run all JS tests with vitest
 pnpm run test -- js/llm.test.ts                    # Run single test file
 pnpm run test -- -t "test name"                    # Run specific test by name
 ```
diff --git a/Makefile b/Makefile
index ea25a3e..af6c06e 100644
--- a/Makefile
+++ b/Makefile
@@ -41,4 +41,4 @@ test-py:
 	source env.sh && python3 -m pytest
 
 test-js:
-	pnpm install && pnpm run test
+	pnpm install --frozen-lockfile && pnpm run test
diff --git a/mise.toml b/mise.toml
index 56de0c1..2f9748c 100644
--- a/mise.toml
+++ b/mise.toml
@@ -9,4 +9,5 @@ _.python.venv = { path = "venv", create = true, uv_create_args = ['--seed']}
 _.file = ".env"
 
 [tools]
-pnpm = "10.26.2"
+pnpm = "10.33.0"
+npm = "11.11.1"
diff --git a/package.json b/package.json
index 7f82577..e283ed4 100644
--- a/package.json
+++ b/package.json
@@ -55,5 +55,5 @@
     "zod": "^3.25.76",
     "zod-to-json-schema": "^3.24.6"
   },
-  "packageManager": "pnpm@10.26.2"
+  "packageManager": "pnpm@10.33.0"
 }
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index a145757..706a93a 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -6,3 +6,11 @@ ignoredBuiltDependencies:
   - duckdb
   - esbuild
   - msw
+
+strictDepBuilds: true
+blockExoticSubdeps: true
+trustPolicy: no-downgrade
+# Ignore the check for packages published more than 30 days ago (pnpm 10.27+)
+# Useful for older packages that pre-date provenance support
+trustPolicyIgnoreAfter: 43200 # minutes (30 days)
+minimumReleaseAge: 20160 # 2 weeks (in minutes)