diff --git a/.gitignore b/.gitignore
index 9269707..59389ee 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,6 +15,7 @@ MANIFEST
 
 # Virtual environments
 .venv/
+.venv-audit/
 venv/
 env/
 ENV/
diff --git a/Makefile b/Makefile
index 3123f45..3428fc9 100644
--- a/Makefile
+++ b/Makefile
@@ -69,9 +69,14 @@ lint: ## Lint with ruff.
 lint-fix: ## Lint with ruff --fix.
 	$(PYTHON) -m ruff check --fix .
 
-security: ## Run pip-audit on resolved dependencies.
+security: ## Run pip-audit on this package's dependencies only (isolated venv).
 	@command -v pip-audit >/dev/null 2>&1 || (echo "install: pip install pip-audit" && exit 1)
-	pip-audit
+	@rm -rf .venv-audit
+	$(PYTHON) -m venv .venv-audit
+	.venv-audit/bin/pip install -q -U pip pip-audit setuptools wheel
+	.venv-audit/bin/pip install -q -e .
+	.venv-audit/bin/pip-audit --skip-editable
+	@rm -rf .venv-audit
 
 tidy: ## No-op for Python (lockfile management is via pyproject.toml).
 	@echo "tidy: nothing to do for Python repos."