diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index cb571983d463..ab14ec838238 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -25,25 +25,14 @@ updates:
     schedule:
       interval: "daily"
     open-pull-requests-limit: 20
-    ignore:
-    # Locked test resources for pinot-spi/src/test/java/org/apache/pinot/spi/plugin/ClassLoaderTest.java.
-    # These artifacts are pinned in pinot-spi/pom.xml (maven-dependency-plugin artifactItems) because
-    # ClassLoaderTest asserts plugin realm isolation against known artifact contents. Dependabot's
-    # `versions` filter is matched against the *target* version of an update, so we use range filters
-    # (">= <next>") to block every bump to a newer version for these coordinates.
-    #
-    # Caveat: these rules apply repo-wide by coordinate. pinot-dropwizard / pinot-yammer /
-    # com.yammer.metrics:metrics-core are not referenced anywhere else, so locking them is safe.
-    # commons-io:commons-io is also consumed in the top-level pom.xml at a newer version, so it is
-    # intentionally NOT locked here; Dependabot may still open PRs that also modify the hardcoded
-    # 2.11.0 in pinot-spi/pom.xml — reviewers must revert that part manually (see the DO NOT BUMP
-    # comment next to the <version>2.11.0</version> entry in pinot-spi/pom.xml).
-    - dependency-name: "org.apache.pinot:pinot-dropwizard"
-      versions: [">= 0.10.1"]
-    - dependency-name: "org.apache.pinot:pinot-yammer"
-      versions: [">= 0.10.1"]
-    - dependency-name: "com.yammer.metrics:metrics-core"
-      versions: [">= 2.1.6"]
+    # No `ignore` rules needed for the ClassLoaderTest pinned test fixtures
+    # (pinot-dropwizard, pinot-yammer, commons-io, com.yammer.metrics:metrics-core).
+    # Those fixtures are resolved by pinot-spi/pom.xml via maven-dependency-plugin's
+    # `dependency:get` goal using single-string <artifact>groupId:artifactId:version</artifact>
+    # parameters — Dependabot's Maven updater scans structured groupId+artifactId+version
+    # triples inside <dependency>, <plugin>, and <artifactItem> blocks, not single-string
+    # <artifact> values in plugin configuration, so the pinned coordinates are invisible
+    # to Dependabot and no ignore rule is required.
 
   - package-ecosystem: "npm"
     directory: "/pinot-controller/src/main/resources"
diff --git a/pinot-spi/pom.xml b/pinot-spi/pom.xml
index fca66c6cc345..50cb2c700dd5 100644
--- a/pinot-spi/pom.xml
+++ b/pinot-spi/pom.xml
@@ -50,90 +50,141 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-dependency-plugin</artifactId>
-        <executions>
-          <execution>
-            <id>copy-pinot-plugins</id>
-            <!-- The org.apache.pinot.spi.plugin.ClassLoaderTest has tests that requires plugin jars.
-                 These jars could have been added to src/test/resources/plugins, but that would increase the size of
-                 source repository a lot. Instead, let Maven download these jars and put them at the expected location.
+        <!-- ClassLoaderTest fixture resolution.
 
-                 DO NOT replace its versions with ${project.version}, as the ClassLoaderTest depends on the existence
-                 and non-existence of classes in these jars.
+             The org.apache.pinot.spi.plugin.ClassLoaderTest validates plugin classloader/realm isolation
+             against pinned versions of real plugin jars. The jars could have been checked in under
+             src/test/resources/plugins, but that would bloat the source repository, so we let Maven
+             download them on demand.
 
-                 DO NOT BUMP the hardcoded versions below. They are intentionally pinned test fixtures used by
-                 ClassLoaderTest to validate plugin realm isolation against known artifact contents. Corresponding
-                 ignore rules live in .github/dependabot.yml, but Dependabot cannot always distinguish these locked
-                 references from other uses of the same coordinate elsewhere in the repo (e.g., commons-io is also
-                 consumed at a newer version in the top-level pom.xml), so Dependabot may still open PRs that touch
-                 this file. Reviewers: reject any change to the versions below.
-            -->
+             DO NOT replace these versions with ${project.version}, as the test depends on the presence
+             (and absence) of specific classes in those exact jars. DO NOT BUMP the hardcoded versions
+             below — they are deliberately frozen test fixtures.
+
+             Why dependency:get with a single-string <artifact> instead of <artifactItem> blocks?
+             Dependabot's Maven updater scans <dependency>, <plugin>, and <artifactItem> blocks for
+             structured groupId+artifactId+version triples; it does NOT parse single-string
+             <artifact>...</artifact> values inside plugin configuration. Using <artifactItem> here
+             gave Dependabot a coordinate to "upgrade" and produced repeated noise PRs (e.g. #18331).
+             For coordinates that are not consumed elsewhere in the repo, a `versions: [">= <next>"]`
+             ignore rule in .github/dependabot.yml would suppress those PRs, but commons-io is also
+             consumed at a newer version in the top-level pom.xml, so a repo-wide ignore would block
+             legitimate upgrades. To keep the mechanism uniform across all the pinned fixtures (and
+             defensive against any future shared-coordinate situation), we route every fixture through
+             dependency:get + antrun copy/unzip from ${settings.localRepository}.
+
+             dependency:get goes through Maven's normal resolution chain (local cache, configured
+             mirrors, authenticated repos, SHA-1 checksum validation), so offline/mirrored builds keep
+             working and artifact integrity is verified.
+
+             The companion antrun execution `stage-classloadertest-fixtures` copies the resolved jars
+             from ${settings.localRepository} into target/test-classes/plugins/ with the literal
+             filenames ClassLoaderTest asserts on (see CodeSource.getLocation().getPath().endsWith(...)
+             checks in the test).
+        -->
+        <executions>
+          <execution>
+            <id>fetch-classloadertest-fixture-pinot-dropwizard-shaded</id>
             <phase>generate-test-resources</phase>
             <goals>
-              <goal>copy</goal>
+              <goal>get</goal>
             </goals>
             <configuration>
-              <artifactItems>
-                <artifactItem>
-                  <groupId>org.apache.pinot</groupId>
-                  <artifactId>pinot-dropwizard</artifactId>
-                  <version>0.10.0</version> <!-- PINNED test fixture: DO NOT BUMP -->
-                  <classifier>shaded</classifier>
-                  <outputDirectory>${project.build.testOutputDirectory}/plugins/pinot-dropwizard</outputDirectory>
-                </artifactItem>
-                <artifactItem>
-                  <groupId>org.apache.pinot</groupId>
-                  <artifactId>pinot-yammer</artifactId>
-                  <version>0.10.0</version> <!-- PINNED test fixture: DO NOT BUMP -->
-                  <classifier>shaded</classifier>
-                  <outputDirectory>${project.build.testOutputDirectory}/plugins/pinot-yammer</outputDirectory>
-                </artifactItem>
-                <artifactItem>
-                  <groupId>org.apache.pinot</groupId>
-                  <artifactId>pinot-yammer</artifactId>
-                  <version>0.10.0</version> <!-- PINNED test fixture: DO NOT BUMP -->
-                  <classifier>shaded</classifier>
-                  <outputDirectory>${project.build.testOutputDirectory}/plugins/pinot-shaded-yammer</outputDirectory>
-                </artifactItem>
-                <artifactItem>
-                  <groupId>commons-io</groupId>
-                  <artifactId>commons-io</artifactId>
-                  <version>2.11.0</version> <!-- PINNED test fixture: DO NOT BUMP (asserted by ClassLoaderTest) -->
-                  <outputDirectory>${project.build.testOutputDirectory}/plugins/assemblybased-pinot-plugin</outputDirectory>
-                </artifactItem>
-                <artifactItem>
-                  <groupId>com.yammer.metrics</groupId>
-                  <artifactId>metrics-core</artifactId>
-                  <version>2.1.5</version> <!-- PINNED test fixture: DO NOT BUMP -->
-                  <outputDirectory>${project.build.testOutputDirectory}/plugins/assemblybased-pinot-plugin</outputDirectory>
-                </artifactItem>
-              </artifactItems>
+              <artifact>org.apache.pinot:pinot-dropwizard:0.10.0:jar:shaded</artifact>
+              <transitive>false</transitive>
             </configuration>
           </execution>
           <execution>
-            <id>unpack-pinot-plugins</id>
-            <!-- The org.apache.pinot.spi.plugin.ClassLoaderTest has tests that requires plugin jars.
-                 These jars could have been added to src/test/resources/plugins, but that would increase the size of
-                 source repository a lot. Instead, let Maven download these jars and put them at the expected location.
-
-                 DO NOT replace its versions with ${project.version}, as the ClassLoaderTest depends on the existence
-                 and non-existence of classes in these jars.
+            <id>fetch-classloadertest-fixture-pinot-yammer-shaded</id>
+            <phase>generate-test-resources</phase>
+            <goals>
+              <goal>get</goal>
+            </goals>
+            <configuration>
+              <artifact>org.apache.pinot:pinot-yammer:0.10.0:jar:shaded</artifact>
+              <transitive>false</transitive>
+            </configuration>
+          </execution>
+          <execution>
+            <id>fetch-classloadertest-fixture-pinot-yammer</id>
+            <phase>generate-test-resources</phase>
+            <goals>
+              <goal>get</goal>
+            </goals>
+            <configuration>
+              <artifact>org.apache.pinot:pinot-yammer:0.10.0</artifact>
+              <transitive>false</transitive>
+            </configuration>
+          </execution>
+          <execution>
+            <id>fetch-classloadertest-fixture-metrics-core</id>
+            <phase>generate-test-resources</phase>
+            <goals>
+              <goal>get</goal>
+            </goals>
+            <configuration>
+              <artifact>com.yammer.metrics:metrics-core:2.1.5</artifact>
+              <transitive>false</transitive>
+            </configuration>
+          </execution>
+          <execution>
+            <id>fetch-classloadertest-fixture-commons-io</id>
+            <phase>generate-test-resources</phase>
+            <goals>
+              <goal>get</goal>
+            </goals>
+            <configuration>
+              <artifact>commons-io:commons-io:2.11.0</artifact>
+              <transitive>false</transitive>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-antrun-plugin</artifactId>
+        <executions>
+          <execution>
+            <id>stage-classloadertest-fixtures</id>
+            <!-- Stages the ClassLoaderTest fixture jars from ${settings.localRepository} into
+                 target/test-classes/plugins/ with the literal filenames the test asserts on.
+                 See the rationale comment on the maven-dependency-plugin block above.
 
-                 DO NOT BUMP the hardcoded version below. See the matching notice in the copy-pinot-plugins
-                 execution above and the ignore rules in .github/dependabot.yml.
+                 Ordering: this execution must run AFTER all `fetch-classloadertest-fixture-*`
+                 executions. Both plugins bind to generate-test-resources; cross-plugin executions
+                 in the same phase run in plugin declaration order, so maven-dependency-plugin
+                 must remain declared before maven-antrun-plugin in <build><plugins>.
             -->
             <phase>generate-test-resources</phase>
             <goals>
-              <goal>unpack</goal>
+              <goal>run</goal>
             </goals>
             <configuration>
-              <artifactItems>
-                <artifactItem>
-                  <groupId>org.apache.pinot</groupId>
-                  <artifactId>pinot-yammer</artifactId>
-                  <version>0.10.0</version> <!-- PINNED test fixture: DO NOT BUMP -->
-                  <outputDirectory>${project.build.testOutputDirectory}/plugins/assemblybased-pinot-plugin/classes</outputDirectory>
-                </artifactItem>
-              </artifactItems>
+              <target>
+                <!-- pinot-dropwizard 0.10.0 (shaded) -->
+                <mkdir dir="${project.build.testOutputDirectory}/plugins/pinot-dropwizard"/>
+                <copy file="${settings.localRepository}/org/apache/pinot/pinot-dropwizard/0.10.0/pinot-dropwizard-0.10.0-shaded.jar"
+                      todir="${project.build.testOutputDirectory}/plugins/pinot-dropwizard"/>
+                <!-- pinot-yammer 0.10.0 (shaded) -->
+                <mkdir dir="${project.build.testOutputDirectory}/plugins/pinot-yammer"/>
+                <copy file="${settings.localRepository}/org/apache/pinot/pinot-yammer/0.10.0/pinot-yammer-0.10.0-shaded.jar"
+                      todir="${project.build.testOutputDirectory}/plugins/pinot-yammer"/>
+                <!-- pinot-yammer 0.10.0 (shaded) — staged again under a different plugin name
+                     so the test exercises the legacy shaded-jar PluginClassloader code path. -->
+                <mkdir dir="${project.build.testOutputDirectory}/plugins/pinot-shaded-yammer"/>
+                <copy file="${settings.localRepository}/org/apache/pinot/pinot-yammer/0.10.0/pinot-yammer-0.10.0-shaded.jar"
+                      todir="${project.build.testOutputDirectory}/plugins/pinot-shaded-yammer"/>
+                <!-- assemblybased-pinot-plugin: commons-io 2.11.0 + metrics-core 2.1.5 placed
+                     side-by-side, plus the unpacked classes from pinot-yammer 0.10.0. -->
+                <mkdir dir="${project.build.testOutputDirectory}/plugins/assemblybased-pinot-plugin"/>
+                <copy file="${settings.localRepository}/commons-io/commons-io/2.11.0/commons-io-2.11.0.jar"
+                      todir="${project.build.testOutputDirectory}/plugins/assemblybased-pinot-plugin"/>
+                <copy file="${settings.localRepository}/com/yammer/metrics/metrics-core/2.1.5/metrics-core-2.1.5.jar"
+                      todir="${project.build.testOutputDirectory}/plugins/assemblybased-pinot-plugin"/>
+                <mkdir dir="${project.build.testOutputDirectory}/plugins/assemblybased-pinot-plugin/classes"/>
+                <unzip src="${settings.localRepository}/org/apache/pinot/pinot-yammer/0.10.0/pinot-yammer-0.10.0.jar"
+                       dest="${project.build.testOutputDirectory}/plugins/assemblybased-pinot-plugin/classes"/>
+              </target>
             </configuration>
           </execution>
         </executions>