fix: upgrade npm in runtime image to resolve bundled dep CVEs

TomSchmidtDev · claude · TomSchmidtDev · commit 6bb864763e41 · 2026-06-02T21:27:12.000+02:00
Upgrades npm from 10.9.8 to latest (11.x) in the runtime stage,
replacing vulnerable bundled packages (picomatch 4.0.3, brace-expansion
2.0.2, ip-address 10.1.0) detected by Dockhand vulnerability scan.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/Dockerfile b/Dockerfile
@@ -21,7 +21,7 @@ RUN npm prune --omit=dev
 
 # ── Runtime ──────────────────────────────────────────────
 FROM node:22-alpine AS runtime
-RUN apk upgrade --no-cache
+RUN apk upgrade --no-cache && npm install -g npm@latest
 WORKDIR /app
 
 COPY --from=builder /app/packages/api/dist         ./packages/api/dist
