diff --git a/Dockerfile b/Dockerfile
index 52eae8d..eeb9c33 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,9 +1,23 @@
-# Discarr — disc scanning and encoding queue
-# ffmpeg/ffprobe included for VIDEO_TS/BDMV metadata scanning
-# Encoding is dispatched via SSH to a remote host (e.g. Strahl)
-FROM node:20-alpine
+# Discarr: disc scanning and encoding queue
+# ffmpeg/ffprobe: VIDEO_TS/BDMV metadata scanning and local encode dispatch
+# HandBrake: optional HEVC encoder (ffmpeg is the fallback)
+# openssh-client: remote encode dispatch to SSH transcode workers
 
-RUN apk add --no-cache ffmpeg openssh-client handbrake
+# Node 22 is the current LTS (Node 20 reached EOL 2026-04-30)
+FROM node:22-alpine
+
+# Upgrade all base packages to pick up security patches from Alpine before
+# adding our own deps. Combining upgrade + add in one RUN avoids an extra
+# layer and ensures the package index stays consistent.
+RUN apk upgrade --no-cache && \
+    apk add --no-cache \
+        ffmpeg \
+        handbrake \
+        openssh-client
+
+# npm's bundled deps (tar, minimatch) carry their own CVE surface.
+# Updating to latest npm gets the patched versions.
+RUN npm install -g npm@latest && npm cache clean --force
 
 WORKDIR /app
 COPY server.js scanner.js ./