fix: upgrade to Node 22 LTS, apk upgrade, npm update to fix CVEs

- node:20-alpine -> node:22-alpine (Node 20 EOL 2026-04-30)
- apk upgrade --no-cache combined with apk add to pick up patched
  Alpine packages (ffmpeg 8.0.1, libjxl, and all transitive deps)
- npm install -g npm@latest to patch bundled tar and minimatch CVEs
- Combined upgrade+add into single RUN layer for consistency

Resolves 51 CVEs reported in Docker Hub vulnerability scan including
CVE-2026-23950, CVE-2026-26996 (npm/tar, npm/minimatch) and
CVE-2023-51793/51794/51795 (apk/ffmpeg) groups

Dockerfile

@@ -1,9 +1,23 @@
-# Discarr — disc scanning and encoding queue
+# Discarr: disc scanning and encoding queue
-# ffmpeg/ffprobe included for VIDEO_TS/BDMV metadata scanning
+# ffmpeg/ffprobe: VIDEO_TS/BDMV metadata scanning and local encode dispatch
-# Encoding is dispatched via SSH to a remote host (e.g. Strahl)
+# HandBrake: optional HEVC encoder (ffmpeg is the fallback)
-FROM node:20-alpine
+# openssh-client: remote encode dispatch to SSH transcode workers
 
-RUN apk add --no-cache ffmpeg openssh-client handbrake
+# Node 22 is the current LTS (Node 20 reached EOL 2026-04-30)
+FROM node:22-alpine
+
+# Upgrade all base packages to pick up security patches from Alpine before
+# adding our own deps. Combining upgrade + add in one RUN avoids an extra
+# layer and ensures the package index stays consistent.
+RUN apk upgrade --no-cache && \
+    apk add --no-cache \
+        ffmpeg \
+        handbrake \
+        openssh-client
+
+# npm's bundled deps (tar, minimatch) carry their own CVE surface.
+# Updating to latest npm gets the patched versions.
+RUN npm install -g npm@latest && npm cache clean --force
 
 WORKDIR /app
 COPY server.js scanner.js ./