fix: switch to node:22-bookworm-slim (Debian) base for better CVE coverage

Alpine's community ffmpeg package had 4+ high CVEs open for 12+ months
(CVE-2023-51793/94/95/98) that Debian's security team backported patches
for in ffmpeg 5.1.9-0+deb12u1.

Changes:
- Dockerfile: node:22-bookworm-slim, apt-get ffmpeg (5.1.9 patched)
- Dockerfile.handbrake: same base, adds handbrake-cli
- CVE-2026-1837 (libjxl): not affected — bookworm ships libjxl 0.7.0
- CVE-2025-52194 (libsndfile): Debian marked not reproducible
- CVE-2026-3099x (ffmpeg AV1): postponed everywhere, no fix available

Tradeoff: image grows from ~300MB to ~677MB (Debian runtime overhead).
ffmpeg 5.1.9 has full feature coverage for disc scanning and HEVC encoding.

Dockerfile

@@ -2,20 +2,23 @@
 # ffmpeg/ffprobe: VIDEO_TS/BDMV metadata scanning and HEVC encode dispatch
 # openssh-client: remote encode dispatch to SSH transcode workers
 #
-# HandBrake is NOT included in this image — ffmpeg handles encoding by default.
+# Base: node:22-bookworm-slim (Debian bookworm)
-# If you need HandBrake (preset system, forced-subtitle burn-in), use the
+# Debian's security team backports ffmpeg CVE patches to 5.1.x; Alpine's
-# handbrake variant: pyr0ball/discarr:handbrake
+# community ffmpeg package has had several high CVEs open for 12+ months.
-# Or install HandBrake natively via: sudo bash install.sh
+#
+# HandBrake is NOT included — ffmpeg handles encoding by default.
+# For HandBrake presets or forced-subtitle burn-in, use:
+#   pyr0ball/discarr:handbrake  (or build from Dockerfile.handbrake)
+#   Or install natively: sudo bash install.sh
 
-# Node 22 is the current LTS (Node 20 reached EOL 2026-04-30)
+FROM node:22-bookworm-slim
-FROM node:22-alpine
 
-# Upgrade all base packages first to pick up Alpine security patches,
+# Install ffmpeg and openssh-client, then clean apt lists
-# then add runtime dependencies in the same layer.
+RUN apt-get update && \
-RUN apk upgrade --no-cache && \
+    apt-get install -y --no-install-recommends \
-    apk add --no-cache \
         ffmpeg \
-        openssh-client
+        openssh-client && \
+    rm -rf /var/lib/apt/lists/*
 
 # Update npm to patch bundled tar/minimatch CVEs
 RUN npm install -g npm@latest && npm cache clean --force

Dockerfile.handbrake

@@ -1,18 +1,21 @@
-# Discarr — HandBrake variant
+# Discarr — HandBrake variant (Debian bookworm base)
 # Includes HandBrake for preset-based encoding and forced-subtitle burn-in.
-# NOTE: Alpine's HandBrake package depends on both ffmpeg 8.x AND ffmpeg 7.x,
+#
-# which increases the CVE surface area compared to the default image.
+# NOTE: HandBrake on Debian pulls in libavcodec/libavfilter from ffmpeg 5.1.x.
+# The CVE profile is better than Alpine (Debian backports patches) but the
+# HandBrake binary and its ffmpeg libs add surface area vs the default image.
 # Use this variant only if you specifically need HandBrake features.
 #
 # Build: docker build -f Dockerfile.handbrake -t pyr0ball/discarr:handbrake .
 
-FROM node:22-alpine
+FROM node:22-bookworm-slim
 
-RUN apk upgrade --no-cache && \
+RUN apt-get update && \
-    apk add --no-cache \
+    apt-get install -y --no-install-recommends \
         ffmpeg \
-        handbrake \
+        handbrake-cli \
-        openssh-client
+        openssh-client && \
+    rm -rf /var/lib/apt/lists/*
 
 RUN npm install -g npm@latest && npm cache clean --force