diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 39811e0..fa69a86 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -19,7 +19,7 @@ jobs:
       # the comment records the human-readable version for reviewable bumps.
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
 
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4.4.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
           node-version: ${{ matrix.node-version }}
           cache: npm
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8cec537..d50f192 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -23,7 +23,7 @@ jobs:
       # publishing), npm CLI sees an empty `_authToken=` and skips the
       # OIDC token exchange — the actual PUT then 404s anonymously even
       # though the provenance signing step succeeded.
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4.4.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
           node-version: '20'
           cache: npm