fix: revert to Alpine base (Debian bookworm has 149 CVEs vs Alpine's ~36)

Debian bookworm is frozen at June 2023 package versions. Key problem:
  mbedtls 2.28.3-1 (bookworm) vs mbedtls 3.6.6-r0 (Alpine 3.23)

CVE-2026-34875 (9.8 critical) is fixed in mbedtls 3.6.6 — which Alpine
already ships. Debian bookworm won't get that update. Similarly for 5+
other critical/high mbedtls CVEs and gnutls28 CVEs. Total: 149 CVEs on
Debian bookworm vs ~36 on Alpine 3.23.

Alpine's rolling model ships much newer package versions, which actually
means fewer accumulated CVEs in key libraries like mbedtls, despite the
reputation of 'Debian stable = secure'.

Dockerfile

@@ -2,23 +2,24 @@
 # ffmpeg/ffprobe: VIDEO_TS/BDMV metadata scanning and HEVC encode dispatch
 # openssh-client: remote encode dispatch to SSH transcode workers
 #
-# Base: node:22-bookworm-slim (Debian bookworm)
+# Base: node:22-alpine (Alpine 3.23)
-# Debian's security team backports ffmpeg CVE patches to 5.1.x; Alpine's
+# Alpine's rolling package model ships significantly newer versions than
-# community ffmpeg package has had several high CVEs open for 12+ months.
+# Debian stable (bookworm, frozen at June 2023). Key examples:
+#   mbedtls: Alpine 3.6.6 (patched) vs Debian bookworm 2.28.3 (unpatched)
+#   ffmpeg:  Alpine 8.0.1 vs Debian bookworm 5.1.x
 #
 # HandBrake is NOT included — ffmpeg handles encoding by default.
-# For HandBrake presets or forced-subtitle burn-in, use:
+# For HandBrake presets or forced-subtitle burn-in:
 #   pyr0ball/discarr:handbrake  (or build from Dockerfile.handbrake)
-#   Or install natively: sudo bash install.sh
 
-FROM node:22-bookworm-slim
+FROM node:22-alpine
 
-# Install ffmpeg and openssh-client, then clean apt lists
+# Upgrade all packages to pick up any in-branch security patches,
-RUN apt-get update && \
+# then add runtime deps in the same layer.
-    apt-get install -y --no-install-recommends \
+RUN apk upgrade --no-cache && \
+    apk add --no-cache \
         ffmpeg \
-        openssh-client && \
+        openssh-client
-    rm -rf /var/lib/apt/lists/*
 
 # Update npm to patch bundled tar/minimatch CVEs
 RUN npm install -g npm@latest && npm cache clean --force

Dockerfile.handbrake

@@ -1,21 +1,18 @@
-# Discarr — HandBrake variant (Debian bookworm base)
+# Discarr — HandBrake variant
 # Includes HandBrake for preset-based encoding and forced-subtitle burn-in.
-#
+# NOTE: Alpine's HandBrake package depends on both ffmpeg 8.x AND ffmpeg 7.x,
-# NOTE: HandBrake on Debian pulls in libavcodec/libavfilter from ffmpeg 5.1.x.
+# which increases the CVE surface area compared to the default image.
-# The CVE profile is better than Alpine (Debian backports patches) but the
-# HandBrake binary and its ffmpeg libs add surface area vs the default image.
 # Use this variant only if you specifically need HandBrake features.
 #
 # Build: docker build -f Dockerfile.handbrake -t pyr0ball/discarr:handbrake .
 
-FROM node:22-bookworm-slim
+FROM node:22-alpine
 
-RUN apt-get update && \
+RUN apk upgrade --no-cache && \
-    apt-get install -y --no-install-recommends \
+    apk add --no-cache \
         ffmpeg \
-        handbrake-cli \
+        handbrake \
-        openssh-client && \
+        openssh-client
-    rm -rf /var/lib/apt/lists/*
 
 RUN npm install -g npm@latest && npm cache clean --force