diff --git a/Dockerfile b/Dockerfile
index d1a35e2..6b49967 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@
 # Base image pinned by digest for reproducibility + integrity.
 # Refresh manually with: docker buildx imagetools inspect node:26-alpine
 # (or query the registry) and update the digest in BOTH stages.
-FROM node:26-alpine@sha256:7c6af15abe4e3de859690e7db171d0d711bf37d27528eddfe625b2fe89e097f8 AS builder
+FROM node:26-alpine@sha256:144769ec3f32e8ee36b3cfde91e82bee25d9367b20f31a151f3f7eea3a2a8541 AS builder
 
 # Install corepack (not bundled in node:26-alpine) and enable it; the pnpm
 # version is resolved from package.json "packageManager", so Dependabot's npm
@@ -44,7 +44,7 @@ RUN node -e " \
   }"
 
 # Stage 2: Production
-FROM node:26-alpine@sha256:7c6af15abe4e3de859690e7db171d0d711bf37d27528eddfe625b2fe89e097f8 AS production
+FROM node:26-alpine@sha256:144769ec3f32e8ee36b3cfde91e82bee25d9367b20f31a151f3f7eea3a2a8541 AS production
 
 RUN adduser -D -u 1001 appuser
 
diff --git a/Dockerfile.dev b/Dockerfile.dev
index e0024eb..f5e540b 100644
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@@ -1,7 +1,7 @@
 # Base image pinned by digest for reproducibility + integrity.
 # Refresh manually with: docker buildx imagetools inspect node:26-alpine
 # Keep this digest in sync with BOTH stages of the production Dockerfile.
-FROM node:26-alpine@sha256:7c6af15abe4e3de859690e7db171d0d711bf37d27528eddfe625b2fe89e097f8
+FROM node:26-alpine@sha256:144769ec3f32e8ee36b3cfde91e82bee25d9367b20f31a151f3f7eea3a2a8541
 
 # Enable corepack (pnpm version comes from package.json "packageManager",
 # single source of truth, matching the production Dockerfile).