diff --git a/Dockerfile b/Dockerfile
index 5e1526b..4391677 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,23 +2,24 @@
 # ffmpeg/ffprobe: VIDEO_TS/BDMV metadata scanning and HEVC encode dispatch
 # openssh-client: remote encode dispatch to SSH transcode workers
 #
-# Base: node:22-bookworm-slim (Debian bookworm)
-# Debian's security team backports ffmpeg CVE patches to 5.1.x; Alpine's
-# community ffmpeg package has had several high CVEs open for 12+ months.
+# Base: node:22-alpine (Alpine 3.23)
+# Alpine's rolling package model ships significantly newer versions than
+# Debian stable (bookworm, frozen at June 2023). Key examples:
+#   mbedtls: Alpine 3.6.6 (patched) vs Debian bookworm 2.28.3 (unpatched)
+#   ffmpeg:  Alpine 8.0.1 vs Debian bookworm 5.1.x
 #
 # HandBrake is NOT included — ffmpeg handles encoding by default.
-# For HandBrake presets or forced-subtitle burn-in, use:
+# For HandBrake presets or forced-subtitle burn-in:
 #   pyr0ball/discarr:handbrake  (or build from Dockerfile.handbrake)
-#   Or install natively: sudo bash install.sh
 
-FROM node:22-bookworm-slim
+FROM node:22-alpine
 
-# Install ffmpeg and openssh-client, then clean apt lists
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
+# Upgrade all packages to pick up any in-branch security patches,
+# then add runtime deps in the same layer.
+RUN apk upgrade --no-cache && \
+    apk add --no-cache \
         ffmpeg \
-        openssh-client && \
-    rm -rf /var/lib/apt/lists/*
+        openssh-client
 
 # Update npm to patch bundled tar/minimatch CVEs
 RUN npm install -g npm@latest && npm cache clean --force
diff --git a/Dockerfile.handbrake b/Dockerfile.handbrake
index 71d84fa..01e2806 100644
--- a/Dockerfile.handbrake
+++ b/Dockerfile.handbrake
@@ -1,21 +1,18 @@
-# Discarr — HandBrake variant (Debian bookworm base)
+# Discarr — HandBrake variant
 # Includes HandBrake for preset-based encoding and forced-subtitle burn-in.
-#
-# NOTE: HandBrake on Debian pulls in libavcodec/libavfilter from ffmpeg 5.1.x.
-# The CVE profile is better than Alpine (Debian backports patches) but the
-# HandBrake binary and its ffmpeg libs add surface area vs the default image.
+# NOTE: Alpine's HandBrake package depends on both ffmpeg 8.x AND ffmpeg 7.x,
+# which increases the CVE surface area compared to the default image.
 # Use this variant only if you specifically need HandBrake features.
 #
 # Build: docker build -f Dockerfile.handbrake -t pyr0ball/discarr:handbrake .
 
-FROM node:22-bookworm-slim
+FROM node:22-alpine
 
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
+RUN apk upgrade --no-cache && \
+    apk add --no-cache \
         ffmpeg \
-        handbrake-cli \
-        openssh-client && \
-    rm -rf /var/lib/apt/lists/*
+        handbrake \
+        openssh-client
 
 RUN npm install -g npm@latest && npm cache clean --force