diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4163539..775e272 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -26,7 +26,27 @@ jobs:
       - name: Compile
         run: pnpm build
 
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v6
+
+      - name: Set up node
+        uses: actions/setup-node@v6
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Run security audit
+        run: pnpm audit --audit-level=high
+
   test:
+    needs: [ compile ]
     runs-on: ubuntu-latest
 
     steps:
@@ -46,7 +66,7 @@ jobs:
         run: pnpm test
 
   publish:
-    needs: [ compile, test ]
+    needs: [ compile, test, security ]
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
     permissions: