diff --git a/envoy.bazelrc b/envoy.bazelrc
index c0bda605460..d9a37106fc3 100644
--- a/envoy.bazelrc
+++ b/envoy.bazelrc
@@ -223,18 +223,18 @@ build:compile-time-options --@envoy//source/extensions/filters/http/kill_request
 
 common:fips-common --test_tag_filters=-nofips
 common:fips-common --build_tag_filters=-nofips
-common:fips-common --//bazel:fips=True
+common:fips-common --@envoy//bazel:fips=True
 
 # BoringSSL FIPS
 common:boringssl-fips --config=fips-common
-common:boringssl-fips --//bazel:ssl=@boringssl_fips//:ssl
-common:boringssl-fips --//bazel:crypto=@boringssl_fips//:crypto
+common:boringssl-fips --@envoy//bazel:ssl=@boringssl_fips//:ssl
+common:boringssl-fips --@envoy//bazel:crypto=@boringssl_fips//:crypto
 
 # AWS-LC FIPS
 common:aws-lc-fips --config=fips-common
-common:aws-lc-fips --//bazel:ssl=@aws_lc//:ssl
-common:aws-lc-fips --//bazel:crypto=@aws_lc//:crypto
-common:aws-lc-fips --//bazel:http3=False
+common:aws-lc-fips --@envoy//bazel:ssl=@aws_lc//:ssl
+common:aws-lc-fips --@envoy//bazel:crypto=@aws_lc//:crypto
+common:aws-lc-fips --@envoy//bazel:http3=False
 
 
 #############################################################################
diff --git a/scripts/update_envoy.sh b/scripts/update_envoy.sh
index b866b75e271..e86f3905ffc 100755
--- a/scripts/update_envoy.sh
+++ b/scripts/update_envoy.sh
@@ -35,13 +35,16 @@ WORKSPACE=${ROOT}/WORKSPACE
 ENVOY_ORG="$(grep -Pom1 "^ENVOY_ORG = \"\K[a-zA-Z-]+" "${WORKSPACE}")"
 ENVOY_REPO="$(grep -Pom1 "^ENVOY_REPO = \"\K[a-zA-Z-]+" "${WORKSPACE}")"
 
+# Get OLD_SHA before updating WORKSPACE
+OLD_SHA="$(grep -Pom1 "^ENVOY_SHA = \"\K[a-f0-9]+" "${WORKSPACE}")"
+
 # get latest commit for specified org/repo
 LATEST_SHA="$(git ls-remote https://github.com/"${ENVOY_ORG}"/"${ENVOY_REPO}" "refs/heads/$UPDATE_BRANCH" | awk '{ print $1}')"
 # use ENVOY_SHA if specified
 if [[ -n "${ENVOY_SHA}" ]]; then
   LATEST_SHA="${ENVOY_SHA}"
 fi
-DATE=$(curl -s -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/"${ENVOY_ORG}""/""${ENVOY_REPO}"/commits/"${LATEST_SHA}" | jq '.commit.committer.date')
+DATE=$(curl -s -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/"${ENVOY_ORG}"/"${ENVOY_REPO}"/commits/"${LATEST_SHA}" | jq '.commit.committer.date')
 DATE=$(echo "${DATE/\"/}" | cut -d'T' -f1)
 
 # Get ENVOY_SHA256
@@ -58,6 +61,21 @@ sed -i "s/Commit date: .*/Commit date: ${DATE}/" "${WORKSPACE}"
 sed -i 's/ENVOY_SHA = .*/ENVOY_SHA = "'"$LATEST_SHA"'"/' "${WORKSPACE}"
 sed -i 's/ENVOY_SHA256 = .*/ENVOY_SHA256 = "'"$SHA256"'"/' "${WORKSPACE}"
 
-# Update .bazelversion and envoy.bazelrc
+# Update .bazelversion
 curl -sSL "https://raw.githubusercontent.com/${ENVOY_ORG}/${ENVOY_REPO}/${LATEST_SHA}/.bazelversion" > .bazelversion
-curl -sSL "https://raw.githubusercontent.com/${ENVOY_ORG}/${ENVOY_REPO}/${LATEST_SHA}/.bazelrc" > envoy.bazelrc
+
+# Three-way merge envoy.bazelrc to preserve local modifications
+# On conflict, take upstream version (consistent with previous behavior)
+OLD_BAZELRC=$(mktemp)
+NEW_BAZELRC=$(mktemp)
+
+curl -sSL "https://raw.githubusercontent.com/${ENVOY_ORG}/${ENVOY_REPO}/${OLD_SHA}/.bazelrc" > "${OLD_BAZELRC}"
+curl -sSL "https://raw.githubusercontent.com/${ENVOY_ORG}/${ENVOY_REPO}/${LATEST_SHA}/.bazelrc" > "${NEW_BAZELRC}"
+
+# Attempt merge; on conflict, use upstream version
+if ! git merge-file envoy.bazelrc "${OLD_BAZELRC}" "${NEW_BAZELRC}" 2>/dev/null; then
+  # Conflicts exist - resolve by taking upstream (theirs)
+  git merge-file --theirs envoy.bazelrc "${OLD_BAZELRC}" "${NEW_BAZELRC}"
+fi
+
+rm -f "${OLD_BAZELRC}" "${NEW_BAZELRC}"