chore(security): bump Docker base images to node:24-alpine to address bundled npm CVEs

[dzhhem]

Description

Updated Docker base images from node:22-alpine to node:24-alpine across API, Web, Bot, and runner images.

This targets Trivy findings reported from bundled npm dependencies inside the image (/usr/local/lib/node_modules/npm/node_modules/...), not from project pnpm-lock.yaml.

Closes #61

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional changes)

How Has This Been Tested?

Executed image build validation with project tooling:

• bash dx pbuild

• Unit tests (Jest/Vitest)

• Integration tests

• Manual testing (screenshots/screencasts encouraged)

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have documented non-obvious behavior or constraints where necessary
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules
• (If API) Database migrations have been created and tested
• (If UI) Changes look good on mobile and desktop

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
fin-track-web	Ready	Preview, Comment	May 19, 2026 8:57pm