switch to newer nodejs version

Dockerfile

@@ -3,17 +3,20 @@
 # ---------------------------------------------------------------------------
 # Base image pin
 # ---------------------------------------------------------------------------
-# Pinned to a specific minor (20.19) so rebuilds are reproducible and satisfy
+# Pinned to Node 24 (Active LTS, supported until ~April 2028) so rebuilds are
-# the package.json `engines` constraint (">=20.19 <22 || >=22.12").
+# reproducible and satisfy the package.json `engines` constraint
+# (">=20.19 <22 || >=22.12"). Node 20 is EOL (~April 2026) and its frozen
+# `20.19-alpine` snapshot accumulates unpatched CVEs, so we track the
+# actively-patched 24.x line instead.
 # A digest pin is PREFERRED for full immutability, e.g.:
-#   FROM node:20.19-alpine@sha256:<real-digest>
+#   FROM node:24-alpine@sha256:<real-digest>
-# Add the real sha256 (from `docker buildx imagetools inspect node:20.19-alpine`)
+# Add the real sha256 (from `docker buildx imagetools inspect node:24-alpine`)
 # when you have network access. We do NOT invent a fake digest here.
 
 # ===========================================================================
 # Stage 1 — builder: install ALL deps, generate Prisma client, build the app
 # ===========================================================================
-FROM node:20.19-alpine AS builder
+FROM node:24-alpine AS builder
 
 # openssl is required by Prisma's engines.
 RUN apk add --no-cache openssl
@@ -34,7 +37,7 @@ RUN npx prisma generate \
 # ===========================================================================
 # Stage 2 — runtime: pruned prod deps + only the artifacts needed to run
 # ===========================================================================
-FROM node:20.19-alpine AS runtime
+FROM node:24-alpine AS runtime
 
 # openssl for Prisma engines at runtime (migrate deploy / query engine).
 RUN apk add --no-cache openssl