security: upgrade some package versions

Dockerfile

@@ -29,14 +29,21 @@ FROM python:3.11-slim
 # Install runtime dependencies
 # apt-get upgrade pulls patched openssl/openssh/etc. so the image isn't pinned to
 # whatever was current when the base layer was published.
-# NOTE: openssh-client carries 3 CVEs (CVE-2026-35385/35386/35414). SSH CA signing
-# uses sshkey-tools (pure Python), so drop this line if nothing shells out to ssh/scp.
+# curl intentionally omitted: it was only used by HEALTHCHECK (now a stdlib Python
+# check), and dropping it removes libcurl4t64 + libssh2 and their unfixed CVEs.
+# NOTE: openssh-client retained for SSH CA workflows; drop it too if nothing shells
+# out to ssh/scp (sshkey-tools signing is pure Python).
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
     libpq5 \
-    curl \
     openssh-client \
     && rm -rf /var/lib/apt/lists/*
 
+# Patch the base image's system-level build tooling that Trivy flags in
+# /usr/local site-packages: wheel (CVE-2026-24049) and the jaraco.context
+# (CVE-2026-23949) vendored by setuptools. Runs against system pip before the
+# venv takes over PATH below.
+RUN pip install --no-cache-dir --upgrade pip setuptools wheel
+
 # Create non-root user
 RUN groupadd --gid 1000 appgroup && \
     useradd --uid 1000 --gid appgroup --shell /bin/bash --create-home appuser
@@ -58,9 +65,9 @@ USER appuser
 # Expose port
 EXPOSE 5000
 
-# Health check
+# Health check (stdlib urllib — avoids shipping curl)
 HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
-    CMD curl -f http://localhost:5000/api/health || exit 1
+    CMD ["python", "-c", "import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://localhost:5000/api/health', timeout=5).getcode()==200 else 1)"]
 
 # Run gunicorn with gevent workers
 CMD ["gunicorn", "--bind", "0.0.0.0:5000", \