fix: fix 19 CVEs

[loadez]

CVE-2026-33186 (grpc, CRITICAL)
CVE-2025-15467 (alpine, CRITICAL)
CVE-2026-33891 (node-forge, HIGH)
CVE-2026-33894 (node-forge, HIGH)
CVE-2026-33895 (node-forge, HIGH)
CVE-2026-33896 (node-forge, HIGH)
CVE-2026-4867 (path-to-regexp, HIGH)
CVE-2026-33671 (picomatch, HIGH)
CVE-2026-33195 (activestorage, HIGH)
CVE-2026-4800 (lodash, HIGH)
CVE-2026-26996 (minimatch, HIGH)
CVE-2026-27903 (minimatch, HIGH)
CVE-2026-27904 (minimatch, HIGH)
CVE-2026-34785 (rack, HIGH)
CVE-2026-34829 (rack, HIGH)
OS-EOL-001 (alpine 3.20.3 end of life)

📝 Description

• Upgrade grpc to v1.79.3 across Go services
• Build migrate from source instead of downloading pre-compiled binaries (fixes grpc CVE in migrate binary)
• Bump Alpine from 3.20.3 to 3.22 (bootstrapper, public-api-gateway)
• Align Dockerfile Go versions with go.mod (1.24)
• Add lodash, minimatch overrides in docs
• Bump rack to 2.2.23 in github_hooks
• Bump node-forge, path-to-regexp, picomatch in docs
• Migrate deprecated grpc.Dial/WithInsecure to grpc.NewClient in repohub

✅ Checklist

• I have tested this change
• This change requires documentation update

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c2545b6f39

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid forcing path-to-regexp 0.1.x on all dependents

This global override/resolution pins every path-to-regexp consumer to 0.1.13, and the lockfile now shows packages that requested newer APIs (e.g., serve-handler requested 3.3.0) being resolved to 0.1.13 instead. That is an API downgrade across major versions: downstream code that uses pathToRegExp.compile(...) in the 1.x/3.x API surface can throw at runtime once those code paths are hit (rewrites/URL generation). The override should be scoped to the vulnerable edge package(s) instead of replacing all majors globally.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Align Go module version with container build toolchain

Raising this module to go 1.24.0 without updating the service’s Docker build baseline (the Dockerfile still defaults to Go 1.22 for this app) makes containerized builds depend on automatic remote toolchain download. In restricted CI or network-limited environments, that upgrade path fails before compilation, so builds that previously used the pinned local toolchain can now break. Update the Docker Go version (and similar services changed in this commit) to match the new go.mod requirement.

Useful? React with 👍 / 👎.