fix(security): pin Alpine base image to version 3.23

[depthfirst-app]

Summary

This PR addresses a security vulnerability in the Dockerfile where the base image used a mutable tag (alpine:3) instead of a pinned version.

Vulnerability

Type: Dependency Vulnerability / Supply Chain Risk

Impact: Using the mutable alpine:3 tag could:

• Allow builds to silently pull upstream changes
• Reduce build reproducibility
• Enable compromised base images to inject malicious code into releases

Solution

Replaced FROM alpine:3 with FROM alpine:3.23 to:

• Pin the base image to a specific minor version
• Ensure reproducible builds
• Match the Alpine version used in the build stage (golang:1.25.5-alpine3.23)
• Maintain consistency throughout the multi-stage build

Testing

The change is minimal and maintains full functionality. The Docker image should be tested to ensure it builds and runs correctly with the pinned version.

Maintenance Note

The Alpine version should be periodically updated to receive security patches while maintaining reproducibility.

---

🔍 View Vulnerability Details: Code Vulnerability

[coveralls]

Pull Request Test Coverage Report for Build 21488032287

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 68.848%

---

Totals
Change from base Build 21450104510:	0.0%
Covered Lines:	14896
Relevant Lines:	21636

---

💛 - Coveralls