fix(docker): strip global npm from runtime to drop inherited CVE

Trivy's image scan flagged picomatch CVE-2026-33671 (ReDoS via crafted
extglob patterns) in the npm CLI bundled inside node:22-alpine
(/usr/local/lib/node_modules/npm/node_modules/picomatch). Our app's
own picomatch is clean — only npm's vendored copy is vulnerable, and
upstream npm hasn't shipped a fixed bundle yet.

The production container only needs `node` and the prisma CLI binary
at runtime. Switch entrypoint.sh from `npx prisma migrate deploy` to
calling ./node_modules/.bin/prisma directly, then delete the bundled
npm/yarn/corepack trees in the production stage. This removes the
vulnerable file rather than waiting on the upstream base image.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docker/Dockerfile

@@ -17,7 +17,15 @@ COPY --from=build --chown=node:node /app/package*.json ./
 COPY --from=build --chown=node:node /app/prisma ./prisma
 COPY --from=build --chown=node:node /app/prisma.config.ts ./prisma.config.ts
 COPY --from=build --chown=node:node /app/docker/entrypoint.sh ./docker/entrypoint.sh
-RUN chmod +x ./docker/entrypoint.sh
+# Strip the bundled npm CLI (and yarn/corepack) from the runtime image. The
+# entrypoint calls ./node_modules/.bin/prisma directly, so we don't need
+# npm at runtime — and dropping it eliminates CVEs in npm's bundled deps
+# (e.g. picomatch CVE-2026-33671) that node:22-alpine inherits.
+RUN chmod +x ./docker/entrypoint.sh \
+ && rm -rf /usr/local/lib/node_modules \
+           /usr/local/bin/npm /usr/local/bin/npx \
+           /usr/local/bin/corepack \
+           /opt/yarn-v1.22.22 /usr/local/bin/yarn /usr/local/bin/yarnpkg
 USER node
 EXPOSE 3000
 ENTRYPOINT ["./docker/entrypoint.sh"]

docker/entrypoint.sh

@@ -4,6 +4,6 @@
 # multi-replica setups should move migrations to a dedicated job/init container.
 set -e
 echo "[entrypoint] prisma migrate deploy"
-npx prisma migrate deploy
+./node_modules/.bin/prisma migrate deploy
 echo "[entrypoint] starting nest"
 exec node dist/src/main