diff --git a/docs/package.json b/docs/package.json
index dafcc46f459..24f86dee7d5 100644
--- a/docs/package.json
+++ b/docs/package.json
@@ -55,12 +55,5 @@
       "last 1 firefox version",
       "last 1 safari version"
     ]
-  },
-  "resolutions": {
-    "dompurify": "^3.4.0",
-    "lodash": "^4.18.1",
-    "lodash-es": "^4.18.1",
-    "serialize-javascript": "^7.0.5",
-    "uuid": "^14.0.0"
   }
 }
diff --git a/docs/pnpm-workspace.yaml b/docs/pnpm-workspace.yaml
index d08707d5eee..09154b01cdd 100644
--- a/docs/pnpm-workspace.yaml
+++ b/docs/pnpm-workspace.yaml
@@ -1,4 +1,16 @@
 # https://pnpm.io/supply-chain-security
 
+allowBuilds:
+  core-js: false
+  core-js-pure: false
+  esbuild: false
+  puppeteer: false
 blockExoticSubdeps: true
 minimumReleaseAge: 10080 # 7 days
+
+overrides:
+  dompurify: ^3.4.0
+  lodash: ^4.18.1
+  lodash-es: ^4.18.1
+  serialize-javascript: ^7.0.5
+  uuid: ^14.0.0
diff --git a/mise.toml b/mise.toml
index 5bd41cf0111..b60d6d40423 100644
--- a/mise.toml
+++ b/mise.toml
@@ -269,4 +269,4 @@ tools.cargo-insta = "1.46"
 cargo-binstall = "1.17"
 go = "1.26"
 node = "24"
-pnpm = "10"
+pnpm = "11"
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
new file mode 100644
index 00000000000..59089ac5b70
--- /dev/null
+++ b/pnpm-workspace.yaml
@@ -0,0 +1,12 @@
+# https://pnpm.io/supply-chain-security
+#
+# Used by the Cloudflare Pages deploy CI step which runs `pnpm add wrangler`
+# at the repo root. wrangler pulls in workerd (local runtime) and esbuild;
+# both postinstalls are denied because `wrangler pages deploy` only uploads
+# pre-built static files and does not need either.
+
+blockExoticSubdeps: true
+
+allowBuilds:
+  esbuild: false
+  workerd: false