diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 8ba9c0a2c..e6e4d6732 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -6,6 +6,7 @@ settings:
 
 overrides:
   '@types/eslint': npm:eslint@^9.29.0
+  undici-types: 6.25.0
 
 packageExtensionsChecksum: sha256-rdbANl8hjpnNG8qUMslbCFEMICC6FTXRU3j5fUoQ82Y=
 
@@ -12286,14 +12287,8 @@ packages:
     resolution: {integrity: sha512-nWJ91DjeOkej/TA8pXQ3myruKpKEYgqvpw9lz4OPHj/NWFNluYrjbz9j01CJ8yKQd2g4jFoOkINCTW2I5LEEyw==}
     engines: {node: '>= 0.4'}
 
-  undici-types@5.26.5:
-    resolution: {integrity: sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==}
-
-  undici-types@6.21.0:
-    resolution: {integrity: sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==}
-
-  undici-types@7.24.4:
-    resolution: {integrity: sha512-cRaY9PagdEZoRmcwzk3tUV3SVGrVQkR6bcSilav/A0vXsfpW4Lvd0BvgRMwTEDTLLGN+QdyBTG+nnvTgJhdt6w==}
+  undici-types@6.25.0:
+    resolution: {integrity: sha512-vOw74RVVYFtnooUkZPxsY1GuuNNupSrCcANIAaDekpZ/Dp1sBuLLl5n2UCKpzxgmOwD66S4Jj24MrhmcDG+0vw==}
 
   undici@6.23.0:
     resolution: {integrity: sha512-VfQPToRA5FZs/qJxLIinmU59u0r7LXqoJkCzinq3ckNJp3vKEh7jTWN589YQ5+aoAC/TGRLyJLCPKcLQbM8r9g==}
@@ -18832,7 +18827,7 @@ snapshots:
       '@types/node': 22.19.0
       '@types/tough-cookie': 4.0.5
       parse5: 7.3.0
-      undici-types: 7.24.4
+      undici-types: 6.25.0
 
   '@types/json-schema@7.0.15': {}
 
@@ -18860,15 +18855,15 @@ snapshots:
 
   '@types/node@18.19.130':
     dependencies:
-      undici-types: 5.26.5
+      undici-types: 6.25.0
 
   '@types/node@20.19.25':
     dependencies:
-      undici-types: 6.21.0
+      undici-types: 6.25.0
 
   '@types/node@22.19.0':
     dependencies:
-      undici-types: 6.21.0
+      undici-types: 6.25.0
 
   '@types/normalize-package-data@2.4.4': {}
 
@@ -26538,11 +26533,7 @@ snapshots:
       has-symbols: 1.1.0
       which-boxed-primitive: 1.1.1
 
-  undici-types@5.26.5: {}
-
-  undici-types@6.21.0: {}
-
-  undici-types@7.24.4: {}
+  undici-types@6.25.0: {}
 
   undici@6.23.0: {}
 
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 773bfc338..029d3fb33 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -8,4 +8,19 @@ overrides:
   # and to eslint for another instance, causing a conflict.
   # This should not be an issue for end users, but it is a problem for the monorepo.
   '@types/eslint': 'npm:eslint@^9.29.0'
+  # undici-types@6.21.0 dropped provenance attestation (present in earlier and later versions),
+  # which triggers trustPolicy: no-downgrade. Force to latest 6.x which has provenance.
+  undici-types: '6.25.0'
 engineStrict: true
+updateNotifier: false
+blockExoticSubdeps: true
+minimumReleaseAge: 4320
+minimumReleaseAgeExclude:
+  - '@mui/internal-*'
+trustPolicy: no-downgrade
+# Skip trust-policy checks for packages published more than 365 days ago.
+# Several widely-used packages (semver, reselect, @octokit/*) dropped provenance attestation
+# for specific releases, triggering false-positive trust-downgrade errors. Packages that old
+# have had ample time for community review; supply-chain attacks are most relevant within a
+# shorter window.
+trustPolicyIgnoreAfter: 525600