diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8b79f5e..ccedd30 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,7 +17,7 @@ jobs:
       # SHA-pinned per /cso security review (v0.1.10). Floating tags are mutable;
       # SHAs are not. Dependabot bumps these in .github/dependabot.yml.
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: ${{ matrix.node }}
       - name: syntax check