diff --git a/.github/workflows/Semgrep.yml b/.github/workflows/Semgrep.yml
index 0347afd5..0d1b81f4 100644
--- a/.github/workflows/Semgrep.yml
+++ b/.github/workflows/Semgrep.yml
@@ -27,7 +27,9 @@ jobs:
 
     container:
       # A Docker image with Semgrep installed. Do not change this.
-      image: returntocorp/semgrep
+      # Pinned to a digest for supply-chain integrity (APS-19017 / INF-007).
+      # returntocorp/semgrep:latest as of 2026-06-15.
+      image: returntocorp/semgrep@sha256:f4791a54c891eabe1188248135574e6e03dfc31dfd3f3b747c7bec7079bfed1b
 
     # Skip any PR created by dependabot to avoid permission issues:
     if: (github.actor != 'dependabot[bot]')
diff --git a/package.json b/package.json
index 58b3002c..7dc70feb 100644
--- a/package.json
+++ b/package.json
@@ -3,6 +3,11 @@
   "version": "1.36.9",
   "description": "BrowserStack Cypress CLI for Cypress integration with BrowserStack's remote devices.",
   "main": "index.js",
+  "files": [
+    "bin/",
+    "README.md",
+    "LICENSE.md"
+  ],
   "scripts": {
     "test": "nyc mocha 'test/**/*.js' --recursive --timeout 60000 --exit"
   },
@@ -30,7 +35,6 @@
     "glob": "^7.2.0",
     "https-proxy-agent": "^5.0.1",
     "mkdirp": "1.0.4",
-    "mocha": "^10.2.0",
     "node-ipc": "9.1.1",
     "table": "5.4.6",
     "tsc-alias": "^1.8.16",