diff --git a/.changeset/bright-discovery-talk.md b/.changeset/bright-discovery-talk.md
new file mode 100644
index 0000000000..34d567ec74
--- /dev/null
+++ b/.changeset/bright-discovery-talk.md
@@ -0,0 +1,5 @@
+---
+"@workflow/web": patch
+---
+
+Disable Vite minification so the published build contains readable code, reducing false-positive obfuscation flags from supply chain security scanners (Socket).
diff --git a/packages/web/vite.config.ts b/packages/web/vite.config.ts
index b44148336f..781f13dc78 100644
--- a/packages/web/vite.config.ts
+++ b/packages/web/vite.config.ts
@@ -10,6 +10,13 @@ export default defineConfig(({ command, isSsrBuild }) => ({
       isSsrBuild && !process.env.VERCEL
         ? { input: './server/app.ts' }
         : undefined,
+    // Disable minification so the published npm package contains readable
+    // code. Without this, Vite's esbuild minifier produces single-line
+    // mega-bundles that supply-chain security scanners (e.g. Socket) flag
+    // as "obfuscated code". The app is a self-hosted observability tool
+    // where the unminified size difference is negligible — gzip/brotli at
+    // the serving layer compresses the wire payload regardless.
+    minify: false,
   },
   // Bundle all dependencies into the server build so that @workflow/web
   // can be installed and run without needing any of the UI dependencies