diff --git a/.github/workflows/plugin-ci.yaml b/.github/workflows/plugin-ci.yaml
index 4512b15..23295ef 100644
--- a/.github/workflows/plugin-ci.yaml
+++ b/.github/workflows/plugin-ci.yaml
@@ -159,7 +159,9 @@ jobs:
       - name: Security audit
         run: |
           if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            pnpm audit --audit-level=high
+            pnpm audit --prod --audit-level=high
+            # --prod excludes devDependencies (vite, vitest, build tools);
+            # shipped plugin tarball contains only main.js + package.json
           else
             npm audit --omit=dev
           fi