diff --git a/.syncpackrc.yml b/.syncpackrc.yml
index d6a7b38e7ce5..4c18c2c7c70d 100644
--- a/.syncpackrc.yml
+++ b/.syncpackrc.yml
@@ -87,6 +87,9 @@ semverGroups:
   - label: "Must use exact dependency ranges"
     dependencies:
       - "@tiny-calc/*"
+      # @tylerbu/markdown-magic is currently pinned to a tagged prerelease (e.g. 2.4.0-tylerbu-1); a caret range on a
+      # prerelease won't include other prereleases, so an exact pin is the intended behavior.
+      - "@tylerbu/markdown-magic"
       - "@graphql-codegen/cli"
       - "@graphql-codegen/typescript"
       - "@material-ui/*"
diff --git a/build-tools/README.md b/build-tools/README.md
index 130b30d6b67d..4e5d2874c1a4 100644
--- a/build-tools/README.md
+++ b/build-tools/README.md
@@ -28,11 +28,17 @@ It is very useful to test changes in build-tools against the client release grou
 build-tools is limited, and manually testing locally with the client will expose obvious things like broken incremental
 builds, etc.
 
-The easiest way to test build-tools in client is to use pnpm overrides. You can use the following command from the root of the repo to update the
-root package.json and lockfile to link to the local version of build-tools:
+The easiest way to test build-tools in client is to use pnpm overrides. Add the following entries under the `overrides:`
+key in the repo root's `pnpm-workspace.yaml`, then refresh the lockfile:
+
+```yaml
+overrides:
+  # ... existing entries ...
+  "@fluidframework/build-tools": "link:./build-tools/packages/build-tools"
+  "@fluid-tools/build-cli": "link:./build-tools/packages/build-cli"
+```
 
 ```
-npm pkg set pnpm.overrides.@fluidframework/build-tools=link:./build-tools/packages/build-tools pnpm.overrides.@fluid-tools/build-cli=link:./build-tools/packages/build-cli
 pnpm i --no-frozen-lockfile
 ```
 
diff --git a/package.json b/package.json
index 3ad43abf0804..c120fae64e8c 100644
--- a/package.json
+++ b/package.json
@@ -186,7 +186,7 @@
 		"puppeteer": "^23.6.0",
 		"rimraf": "^6.1.3",
 		"run-script-os": "^1.1.6",
-		"syncpack": "^14.0.2",
+		"syncpack": "^15.1.2",
 		"type-fest": "^2.19.0",
 		"typescript": "~5.4.5"
 	},
@@ -351,59 +351,6 @@
 		}
 	},
 	"pnpm": {
-		"comments": [
-			"biome is overridden to make review of the upgrade easier. This can be removed once merged.",
-			"node types are forced to a consistent version to avoid conflicts between globals.",
-			"nodegit is replaced with an empty package here because it's currently only used by good-fences for features we do not need, and has issues building when changing node versions. See https://github.com/smikula/good-fences/issues/105 for details. Note that using '-' to completely drop it, results in build failures complaining about nodegit not being there.",
-			"codemirror and marked overrides are because simplemde use * versions, and the fully up to date versions of its deps do not work. packageExtensions was tried to fix this, but did not work.",
-			"@fluentui/react-positioning's dependency on @floating-ui/dom causes a peer dependency violation, so overriding it forces a version that meets peer dependency requirements is installed.",
-			"oclif includes some AWS-related features, but we don't use them, so we drop those dependencies. This helps reduce lockfile churn since the deps release very frequently.",
-			"axios pre-1.0 needs an override to stay current on a version with no reported CVEs. Caret dependencies aren't enough on a pre-1.0 package.",
-			"Security overrides: tar is overridden to address path traversal CVEs (GHSA-8qq5-rm4j-mr97, GHSA-r6q2-hw4h-h46w, GHSA-34x7-hfp2-rc4v).",
-			"qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.",
-			"fast-xml-parser: overridden to ^4.5.4 to resolve multiple CVEs in 4.5.3 (entity encoding bypass, DoS via entity expansion, stack overflow). Stays within @langchain/anthropic's declared ^4.4.1 range.",
-			"systeminformation: overridden to ^5.31.0 to resolve command injection vulnerabilities.",
-			"simple-git: overridden to ^3.32.3 to resolve a CG alert.",
-			"diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@3.x and diff@7.x have no fix in their major range so they are bumped to the nearest patched major.",
-			"serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support).",
-			"express: overridden to ^4.22.1 to resolve a known vulnerability in express 4.21.2.",
-			"picomatch: overridden to patched versions to resolve a known security vulnerability.",
-			"node-forge: overridden to ^1.4.0 to resolve known security vulnerabilities.",
-			"langsmith: overridden to ^0.5.15 to resolve a known security vulnerability. The consumer declares ^0.3.x so the override is needed to cross the minor version boundary."
-		],
-		"overrides": {
-			"@biomejs/biome": "~2.4.5",
-			"@types/node": "catalog:types",
-			"diff@>=3 <4": "^4.0.4",
-			"diff@>=5 <6": "^5.2.2",
-			"diff@>=7 <8": "^8.0.3",
-			"diff@>=8 <9": "^8.0.3",
-			"fast-xml-parser": "^4.5.4",
-			"node-forge": "^1.4.0",
-			"good-fences>nodegit": "npm:empty-npm-package@1.0.0",
-			"qs": "^6.15.0",
-			"simple-git": "^3.32.3",
-			"systeminformation": "^5.31.0",
-			"simplemde>codemirror": "^5.65.11",
-			"simplemde>marked": "^4.3.0",
-			"@fluentui/react-positioning>@floating-ui/dom": "~1.5.4",
-			"oclif>@aws-sdk/client-cloudfront": "-",
-			"oclif>@aws-sdk/client-s3": "-",
-			"axios@<0.30.0": "^0.30.0",
-			"tar": "^7.5.11",
-			"minimatch@>=3 <4": "^3.1.5",
-			"minimatch@>=5 <6": "^5.1.9",
-			"minimatch@>=6 <7": "^6.2.3",
-			"minimatch@>=7 <8": "^7.4.9",
-			"minimatch@>=8 <9": "^8.0.7",
-			"minimatch@>=9 <10": "^9.0.9",
-			"minimatch@>=10 <11": "^10.2.4",
-			"serialize-javascript@>=6 <7": "^7.0.4",
-			"express@>=4 <5": "^4.22.1",
-			"picomatch@>=2 <3": "^2.3.2",
-			"picomatch@>=4 <5": "^4.0.4",
-			"langsmith": "^0.5.15"
-		},
 		"peerDependencyComments": [
 			"The react-split-pane package used by devtools-view has a peer dependency on React 16, but it doesn't seem to be maintained and it works fine with React 18. TODO: AB#18876",
 			"@types/node is ignored because it is usually not needed by packages, and if it is, then the package will hit a compilation failure.",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 9fa709a184cb..6259feb08c7d 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -140,8 +140,8 @@ importers:
         specifier: ^1.1.6
         version: 1.1.6
       syncpack:
-        specifier: ^14.0.2
-        version: 14.0.2
+        specifier: ^15.1.2
+        version: 15.1.2
       type-fest:
         specifier: ^2.19.0
         version: 2.19.0
@@ -26780,48 +26780,48 @@ packages:
   sync-rpc@1.3.6:
     resolution: {integrity: sha512-J8jTXuZzRlvU7HemDgHi3pGnh/rkoqR/OZSjhTyyZrEkkYQbk7Z33AXp37mkPfPpfdOuj7Ex3H/TJM1z48uPQw==}
 
-  syncpack-darwin-arm64@14.0.2:
-    resolution: {integrity: sha512-qVTB7VQHpXfKMOyPzRoX+gsh+2rPw9631kbt/DfTthyfOrXUbp0QOZF0F0XtSYCYcG7IQehhMER3MLLvCwRTlA==}
+  syncpack-darwin-arm64@15.1.2:
+    resolution: {integrity: sha512-RQET2RNmX7yKorqCE6Q7kppC7eT9lw742QYPfWIL8Nh26RerT+erOp8zhdgv/3OmDkETF9olqyts79HY48V4SA==}
     cpu: [arm64]
     os: [darwin]
 
-  syncpack-darwin-x64@14.0.2:
-    resolution: {integrity: sha512-KtB44JzPafpjEyA58GhoY+0jdfHuEEMsny0/T9tqkmgJBjgygssSsdN5quBrVB7QOQcJoRJoM+TsEQx3o63lww==}
+  syncpack-darwin-x64@15.1.2:
+    resolution: {integrity: sha512-pmVr4Qw5o42aUfeZVaPXmnQNaoMhBNywcFK24FqSlo3MCK3WCJ0UwfhmcD7u82BGwASd4RFPGxgV18iJLFRnoA==}
     cpu: [x64]
     os: [darwin]
 
-  syncpack-linux-arm64-musl@14.0.2:
-    resolution: {integrity: sha512-kyO9jjIfFpVsETcHzzG+TzNE82TNqE4Pz8ZMKMc/cLnk7XcN9LbvrdqRjxmGoW5ZSJGTOjQtZsp6owtM9ODrfA==}
+  syncpack-linux-arm64-musl@15.1.2:
+    resolution: {integrity: sha512-Xs1wOUrMZqu0yo85NjAiccbBVkDYhT2P8yOh2+R56MK7ywtyBuM3TxR2IwEmXE8NPW3++hzdF0a7a7IbiW74bQ==}
     cpu: [arm64]
     os: [linux]
 
-  syncpack-linux-arm64@14.0.2:
-    resolution: {integrity: sha512-7erMuE/dm2yvdZ1Kr5aq81g3dE9ap7AG+EehonI9Det23gxlr7tXRpBbl3EYzAQr97ifrLGJpnQ6jtRQRAneTA==}
+  syncpack-linux-arm64@15.1.2:
+    resolution: {integrity: sha512-iRsv6tPNX9ZaDEjjpFdYwJj6EHerMVzl2euWt6qmYaW8/SaR6s5W+cc+qXPXijPsBlK65gibdHBfsBgJYB//CA==}
     cpu: [arm64]
     os: [linux]
 
-  syncpack-linux-x64-musl@14.0.2:
-    resolution: {integrity: sha512-kXlsvH4V7sBR8vWku+lnrdh+xQCmlRedk1RQDH/c+MpZ/PJy0UCIEovlrSgXcUFG0IVVrXbDGAxWJM4RB5oWeA==}
+  syncpack-linux-x64-musl@15.1.2:
+    resolution: {integrity: sha512-bBtQUTEECd1nefHWfQskwkFdaVXn54whSLHacc9bQijqn4p8lZ2JR3vokqVx8w/dKSrJsxkEM4K7zfHOori38w==}
     cpu: [x64]
     os: [linux]
 
-  syncpack-linux-x64@14.0.2:
-    resolution: {integrity: sha512-FGO9AsGakTPhfX+DW1Jmy2oaVeXhD7o1A+MmIMhcn9ArJThbBDmgkcTkU5Ek0E0tty4ZaNJgh1uhwwliPDHCeA==}
+  syncpack-linux-x64@15.1.2:
+    resolution: {integrity: sha512-Vwc7HLu05rUTgoN2zwcM/F/KiSw7/1prb/S4P+P5UtLXHfQ3Y23dvW1el6ABg7pOBbk08Zgr3i4DSS7Wiw0rog==}
     cpu: [x64]
     os: [linux]
 
-  syncpack-windows-arm64@14.0.2:
-    resolution: {integrity: sha512-Vmh6hmPXL2/DtppVYS1/zkr/RKKiJql6LqklqdPovB8F1TiTxulfv6RaGxR2d0r7Y9vDpoOSXxnONT4BoyCyUA==}
+  syncpack-windows-arm64@15.1.2:
+    resolution: {integrity: sha512-WZnjy0zM9TNWCKxNVo6PGprBKusYykqiAj2qGYWgkMMtGECpFOfEsrmt3R4s58ttQMAg44N+HVDhXtIFQeJOpg==}
     cpu: [arm64]
     os: [win32]
 
-  syncpack-windows-x64@14.0.2:
-    resolution: {integrity: sha512-lndo5gWCmsoYVxgOdQ1R4rFeiJWN4N4YLWqdWrun5V+LTuh6C7SyajJSlCxpLeRm2GDdZ+7oAjbJUDDHwF+IZA==}
+  syncpack-windows-x64@15.1.2:
+    resolution: {integrity: sha512-xyWsvn2Bbvubt4sIZGguqbv8pXiGWKifIYgzZWWUIWdaNvGThNLlrEWBlHABDx+Ov1yKLiKHjBiXQMgplMN92w==}
     cpu: [x64]
     os: [win32]
 
-  syncpack@14.0.2:
-    resolution: {integrity: sha512-Dv6If5o/kV8hhDA6pcqFfU0XHH3DuIYWr0zJbYDUfPQXyCET6K1dxnfHBlSNW+UZ2UAYRKlit99x28gWYqlt7A==}
+  syncpack@15.1.2:
+    resolution: {integrity: sha512-LDDT44/Skk5r6cDsbemGPD1t8p40iBqWz0Kkj5Khmx/e4blaXSA+nckYepHgb9xLY8Be+xuS0gVWHsYjKZufIw==}
     engines: {node: '>=14.17.0'}
     hasBin: true
 
@@ -41342,40 +41342,40 @@ snapshots:
     dependencies:
       get-port: 3.2.0
 
-  syncpack-darwin-arm64@14.0.2:
+  syncpack-darwin-arm64@15.1.2:
     optional: true
 
-  syncpack-darwin-x64@14.0.2:
+  syncpack-darwin-x64@15.1.2:
     optional: true
 
-  syncpack-linux-arm64-musl@14.0.2:
+  syncpack-linux-arm64-musl@15.1.2:
     optional: true
 
-  syncpack-linux-arm64@14.0.2:
+  syncpack-linux-arm64@15.1.2:
     optional: true
 
-  syncpack-linux-x64-musl@14.0.2:
+  syncpack-linux-x64-musl@15.1.2:
     optional: true
 
-  syncpack-linux-x64@14.0.2:
+  syncpack-linux-x64@15.1.2:
     optional: true
 
-  syncpack-windows-arm64@14.0.2:
+  syncpack-windows-arm64@15.1.2:
     optional: true
 
-  syncpack-windows-x64@14.0.2:
+  syncpack-windows-x64@15.1.2:
     optional: true
 
-  syncpack@14.0.2:
+  syncpack@15.1.2:
     optionalDependencies:
-      syncpack-darwin-arm64: 14.0.2
-      syncpack-darwin-x64: 14.0.2
-      syncpack-linux-arm64: 14.0.2
-      syncpack-linux-arm64-musl: 14.0.2
-      syncpack-linux-x64: 14.0.2
-      syncpack-linux-x64-musl: 14.0.2
-      syncpack-windows-arm64: 14.0.2
-      syncpack-windows-x64: 14.0.2
+      syncpack-darwin-arm64: 15.1.2
+      syncpack-darwin-x64: 15.1.2
+      syncpack-linux-arm64: 15.1.2
+      syncpack-linux-arm64-musl: 15.1.2
+      syncpack-linux-x64: 15.1.2
+      syncpack-linux-x64-musl: 15.1.2
+      syncpack-windows-arm64: 15.1.2
+      syncpack-windows-x64: 15.1.2
 
   systeminformation@5.31.4:
     optional: true
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index c4e0a6e37b7d..9cc9d0076685 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -90,3 +90,85 @@ catalogs:
   # Type definitions
   types:
     "@types/node": "~22.19.17"
+
+overrides:
+  # biome is overridden to make review of the upgrade easier. This can be removed once merged.
+  "@biomejs/biome": "~2.4.5"
+
+  # node types are forced to a consistent version to avoid conflicts between globals.
+  "@types/node": "catalog:types"
+
+  # diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@3.x and diff@7.x have no fix in
+  # their major range so they are bumped to the nearest patched major.
+  "diff@>=3 <4": "^4.0.4"
+  "diff@>=5 <6": "^5.2.2"
+  "diff@>=7 <8": "^8.0.3"
+  "diff@>=8 <9": "^8.0.3"
+
+  # fast-xml-parser: overridden to ^4.5.4 to resolve multiple CVEs in 4.5.3 (entity encoding bypass, DoS via entity
+  # expansion, stack overflow). Stays within @langchain/anthropic's declared ^4.4.1 range.
+  "fast-xml-parser": "^4.5.4"
+
+  # node-forge: overridden to ^1.4.0 to resolve known security vulnerabilities.
+  "node-forge": "^1.4.0"
+
+  # nodegit is replaced with an empty package here because it's currently only used by good-fences for features we do
+  # not need, and has issues building when changing node versions. See https://github.com/smikula/good-fences/issues/105
+  # for details. Note that using '-' to completely drop it, results in build failures complaining about nodegit not
+  # being there.
+  "good-fences>nodegit": "npm:empty-npm-package@1.0.0"
+
+  # qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.
+  "qs": "^6.15.0"
+
+  # simple-git: overridden to ^3.32.3 to resolve a CG alert.
+  "simple-git": "^3.32.3"
+
+  # systeminformation: overridden to ^5.31.0 to resolve command injection vulnerabilities.
+  "systeminformation": "^5.31.0"
+
+  # codemirror and marked overrides are because simplemde uses * versions, and the fully up to date versions of its
+  # deps do not work. packageExtensions was tried to fix this, but did not work.
+  "simplemde>codemirror": "^5.65.11"
+  "simplemde>marked": "^4.3.0"
+
+  # @fluentui/react-positioning's dependency on @floating-ui/dom causes a peer dependency violation, so overriding it
+  # forces a version that meets peer dependency requirements is installed.
+  "@fluentui/react-positioning>@floating-ui/dom": "~1.5.4"
+
+  # oclif includes some AWS-related features, but we don't use them, so we drop those dependencies. This helps reduce
+  # lockfile churn since the deps release very frequently.
+  "oclif>@aws-sdk/client-cloudfront": "-"
+  "oclif>@aws-sdk/client-s3": "-"
+
+  # axios pre-1.0 needs an override to stay current on a version with no reported CVEs. Caret dependencies aren't
+  # enough on a pre-1.0 package.
+  "axios@<0.30.0": "^0.30.0"
+
+  # tar: Security overrides to address path traversal CVEs (GHSA-8qq5-rm4j-mr97, GHSA-r6q2-hw4h-h46w,
+  # GHSA-34x7-hfp2-rc4v).
+  "tar": "^7.5.11"
+
+  # minimatch: overridden to patched versions to resolve a known security vulnerability.
+  "minimatch@>=3 <4": "^3.1.5"
+  "minimatch@>=5 <6": "^5.1.9"
+  "minimatch@>=6 <7": "^6.2.3"
+  "minimatch@>=7 <8": "^7.4.9"
+  "minimatch@>=8 <9": "^8.0.7"
+  "minimatch@>=9 <10": "^9.0.9"
+  "minimatch@>=10 <11": "^10.2.4"
+
+  # serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible
+  # (only drops Node <20 support).
+  "serialize-javascript@>=6 <7": "^7.0.4"
+
+  # express: overridden to ^4.22.1 to resolve a known vulnerability in express 4.21.2.
+  "express@>=4 <5": "^4.22.1"
+
+  # picomatch: overridden to patched versions to resolve a known security vulnerability.
+  "picomatch@>=2 <3": "^2.3.2"
+  "picomatch@>=4 <5": "^4.0.4"
+
+  # langsmith: overridden to ^0.5.15 to resolve a known security vulnerability. The consumer declares ^0.3.x so the
+  # override is needed to cross the minor version boundary.
+  "langsmith": "^0.5.15"