diff --git a/.github/workflows/quality-gate.yml b/.github/workflows/quality-gate.yml
index ca5ec547..7016bbca 100644
--- a/.github/workflows/quality-gate.yml
+++ b/.github/workflows/quality-gate.yml
@@ -628,11 +628,14 @@ jobs:
         with:
           node-version: '20'
 
-      - name: Web — npm audit (high + critical)
+      - name: Web — npm audit (high + critical, production deps only)
         working-directory: ./web
         run: |
           npm install
-          npm audit --audit-level=high
+          # Audit only production dependencies. Build tooling (vite, esbuild,
+          # vite-plugin-node-polyfills → elliptic, etc.) ships to no user, and
+          # advisories on those dev deps kept blocking production deploys.
+          npm audit --audit-level=high --omit=dev
 
       - name: TruffleHog — PR diff (verified secrets only)
         if: github.event_name == 'pull_request'