diff --git a/.changeset/slick-hands-change.md b/.changeset/slick-hands-change.md
new file mode 100644
index 000000000000..4c4fb0bff53d
--- /dev/null
+++ b/.changeset/slick-hands-change.md
@@ -0,0 +1,5 @@
+---
+"create-cloudflare": patch
+---
+
+Remove duplicate references to `./worker-configuration.d.ts` in the React template's `tsconfig.worker.json` file.
diff --git a/.changeset/warm-numbers-smell.md b/.changeset/warm-numbers-smell.md
new file mode 100644
index 000000000000..4efaeb4e7e6e
--- /dev/null
+++ b/.changeset/warm-numbers-smell.md
@@ -0,0 +1,22 @@
+---
+"miniflare": patch
+"@cloudflare/vitest-pool-workers": patch
+---
+
+Bundle the `zod` dependency to reduce supply chain attack surface
+
+In order to prevent possible npm vulnerability attacks, the team's policy is to bundle
+dependencies in our packages where possible. This helps ensure that only trusted code
+runs on the user's system, even if compromised packages are later published to npm.
+
+This change bundles `zod` (a pure JavaScript validation library with no native dependencies)
+into miniflare and @cloudflare/vitest-pool-workers.
+
+Other dependencies remain external for technical reasons:
+
+- `sharp`: Native binary with platform-specific builds
+- `undici`: Dynamically required at runtime in worker threads
+- `ws`: Has optional native bindings for performance
+- `workerd`: Native binary (Cloudflare's JavaScript runtime)
+- `@cspotcode/source-map-support`: Uses require.cache manipulation at runtime
+- `youch`: Dynamically required for lazy loading
diff --git a/.gitignore b/.gitignore
index c6d2fbc22689..6ff3efa30cdf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -231,4 +231,5 @@ dist/**
 !.env.example
 .node-cache/
 
-AGENTS.local.md
\ No newline at end of file
+AGENTS.local.md
+.opencode/plans/
\ No newline at end of file
diff --git a/packages/create-cloudflare/templates/react/workers/ts/tsconfig.worker.json b/packages/create-cloudflare/templates/react/workers/ts/tsconfig.worker.json
index 2acc852185d1..38c0515a4d23 100644
--- a/packages/create-cloudflare/templates/react/workers/ts/tsconfig.worker.json
+++ b/packages/create-cloudflare/templates/react/workers/ts/tsconfig.worker.json
@@ -4,5 +4,5 @@
     "tsBuildInfoFile": "./node_modules/.tmp/tsconfig.worker.tsbuildinfo",
     "types": ["./worker-configuration.d.ts", "vite/client"],
   },
-  "include": ["./worker-configuration.d.ts", "./worker"]
+  "include": ["worker"]
 }
diff --git a/packages/miniflare/package.json b/packages/miniflare/package.json
index 3603170a0ba7..52e6429c8d34 100644
--- a/packages/miniflare/package.json
+++ b/packages/miniflare/package.json
@@ -48,8 +48,7 @@
 		"undici": "catalog:default",
 		"workerd": "1.20260123.0",
 		"ws": "catalog:default",
-		"youch": "4.1.0-beta.10",
-		"zod": "^3.25.76"
+		"youch": "4.1.0-beta.10"
 	},
 	"devDependencies": {
 		"@cloudflare/cli": "workspace:*",
@@ -100,7 +99,8 @@
 		"typescript": "catalog:default",
 		"vitest": "catalog:default",
 		"which": "^2.0.2",
-		"xdg-app-paths": "^8.3.0"
+		"xdg-app-paths": "^8.3.0",
+		"zod": "^3.25.76"
 	},
 	"engines": {
 		"node": ">=18.0.0"
diff --git a/packages/miniflare/scripts/deps.ts b/packages/miniflare/scripts/deps.ts
index 7cf7bba930da..18d70247e839 100644
--- a/packages/miniflare/scripts/deps.ts
+++ b/packages/miniflare/scripts/deps.ts
@@ -12,22 +12,18 @@ export const EXTERNAL_DEPENDENCIES = [
 	// Native binary with platform-specific builds - cannot be bundled
 	"sharp",
 
-	// Large HTTP client with optional native dependencies; commonly shared
-	// with other packages to avoid version conflicts and duplication
+	// Must be external - dynamically required at runtime in worker threads via
+	// require("undici") for synchronous fetch operations (see fetch-sync.ts)
 	"undici",
 
 	// Native binary - Cloudflare's JavaScript runtime cannot be bundled
 	"workerd",
 
 	// Has optional native bindings (bufferutil, utf-8-validate) for performance;
-	// commonly shared with other packages to avoid duplication
+	// bundling would lose these optimizations and fall back to JS implementations
 	"ws",
 
 	// Must be external - dynamically required at runtime via require("youch")
 	// for lazy loading of pretty error pages
 	"youch",
-
-	// Large validation library; commonly shared as a dependency
-	// to avoid version conflicts and bundle size duplication
-	"zod",
 ];
diff --git a/packages/vitest-pool-workers/package.json b/packages/vitest-pool-workers/package.json
index f48ef3fd3972..dbe8fd6091d7 100644
--- a/packages/vitest-pool-workers/package.json
+++ b/packages/vitest-pool-workers/package.json
@@ -56,8 +56,7 @@
 		"cjs-module-lexer": "^1.2.3",
 		"esbuild": "catalog:default",
 		"miniflare": "workspace:*",
-		"wrangler": "workspace:*",
-		"zod": "^3.25.76"
+		"wrangler": "workspace:*"
 	},
 	"devDependencies": {
 		"@cloudflare/eslint-config-shared": "workspace:*",
@@ -78,7 +77,8 @@
 		"ts-dedent": "^2.2.0",
 		"typescript": "catalog:default",
 		"undici": "catalog:default",
-		"vitest": "catalog:default"
+		"vitest": "catalog:default",
+		"zod": "^3.25.76"
 	},
 	"peerDependencies": {
 		"@vitest/runner": "2.0.x - 3.2.x",
diff --git a/packages/vitest-pool-workers/scripts/bundle.mjs b/packages/vitest-pool-workers/scripts/bundle.mjs
index 7a1122861c9b..cf1434c17dc7 100644
--- a/packages/vitest-pool-workers/scripts/bundle.mjs
+++ b/packages/vitest-pool-workers/scripts/bundle.mjs
@@ -100,7 +100,6 @@ const commonOptions = {
 		// External dependencies (see scripts/deps.ts for rationale)
 		"cjs-module-lexer",
 		"esbuild",
-		"zod",
 		// Workspace dependencies
 		"miniflare",
 		"wrangler",
diff --git a/packages/vitest-pool-workers/scripts/deps.ts b/packages/vitest-pool-workers/scripts/deps.ts
index 235f167e7521..6b71448498c3 100644
--- a/packages/vitest-pool-workers/scripts/deps.ts
+++ b/packages/vitest-pool-workers/scripts/deps.ts
@@ -10,8 +10,4 @@ export const EXTERNAL_DEPENDENCIES = [
 
 	// Native binary - cannot be bundled, used to bundle test files at runtime
 	"esbuild",
-
-	// Large validation library; commonly shared as a dependency
-	// to avoid version conflicts and bundle size duplication
-	"zod",
 ];
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 29ae0e40bcff..5e72f2a93216 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -1936,9 +1936,6 @@ importers:
       youch:
         specifier: 4.1.0-beta.10
         version: 4.1.0-beta.10(patch_hash=flgmw54jmjdxqmelxigtxg6kum)
-      zod:
-        specifier: ^3.25.76
-        version: 3.25.76
     devDependencies:
       '@cloudflare/cli':
         specifier: workspace:*
@@ -2087,6 +2084,9 @@ importers:
       xdg-app-paths:
         specifier: ^8.3.0
         version: 8.3.0
+      zod:
+        specifier: ^3.25.76
+        version: 3.25.76
 
   packages/mock-npm-registry:
     devDependencies:
@@ -3461,9 +3461,6 @@ importers:
       wrangler:
         specifier: workspace:*
         version: link:../wrangler
-      zod:
-        specifier: ^3.25.76
-        version: 3.25.76
     devDependencies:
       '@cloudflare/eslint-config-shared':
         specifier: workspace:*
@@ -3522,6 +3519,9 @@ importers:
       vitest:
         specifier: catalog:default
         version: 3.2.3(@types/debug@4.1.12)(@types/node@20.19.9)(@vitest/ui@3.2.3)(jiti@2.6.0)(lightningcss@1.30.2)(msw@2.12.0(@types/node@20.19.9)(typescript@5.8.3))(supports-color@9.2.2)(yaml@2.8.1)
+      zod:
+        specifier: ^3.25.76
+        version: 3.25.76
 
   packages/workers-editor-shared:
     dependencies: