diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6aeda22..0b56a5d 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -12,9 +12,9 @@ jobs:
       contents: read
       packages: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v6
         with:
           node-version-file: ".nvmrc"
           registry-url: "https://registry.npmjs.org"
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 912608f..f5b55d8 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -1,15 +1,15 @@
 name: Security
 
-on: [push, workflow_dispatch]
+on: [push, pull_request, workflow_dispatch]
 
 jobs:
   vuln-dep-check:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       - name: Install node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version-file: '.nvmrc'
           cache: npm
@@ -24,6 +24,6 @@ jobs:
     container:
       image: returntocorp/semgrep
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - run: semgrep ci
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index e617254..fe436f2 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -8,13 +8,24 @@ jobs:
   unit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Install node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v6
         with:
           node-version-file: '.nvmrc'
           cache: npm
-      - run: npm ci
-      - run: npm run format:check
-      - run: npm run test
-      - run: npx tsc
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Validate lockfile
+        run: npm install --package-lock-only && git diff --exit-code package-lock.json
+
+      - name: Check formatting
+        run: npm run format:check
+
+      - name: Run tests
+        run: npm run test
+
+      - name: Type check
+        run: npx tsc
diff --git a/.npmrc b/.npmrc
new file mode 100644
index 0000000..a7ae366
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1,2 @@
+min-release-age=2
+engine-strict=true
diff --git a/.nvmrc b/.nvmrc
index 32f8c50..b832e40 100644
--- a/.nvmrc
+++ b/.nvmrc
@@ -1 +1 @@
-24.13.1
+24.16.0
diff --git a/package.json b/package.json
index 8ba4ec3..0075e51 100644
--- a/package.json
+++ b/package.json
@@ -7,8 +7,21 @@
     "test": "vitest run",
     "format:check": "prettier --check index.js",
     "format": "prettier --write index.js",
+    "audit:fix": "npm audit fix --min-release-age=0",
     "prepublishOnly": "node scripts/update-version.js && npx tsc"
   },
+  "devEngines": {
+    "runtime": {
+      "name": "node",
+      "version": ">=24.16.0",
+      "onFail": "error"
+    },
+    "packageManager": {
+      "name": "npm",
+      "version": ">=11.13.0",
+      "onFail": "error"
+    }
+  },
   "keywords": [
     "Atomic",
     "Transact",