diff --git a/Dockerfile b/Dockerfile
index 98072cb..65f70e3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,6 +2,8 @@
 
 FROM node:22-bookworm-slim AS deps
 WORKDIR /app
+# bookworm-slim: track the distro's current security-patched versions, don't pin.
+# hadolint ignore=DL3008
 RUN apt-get update \
  && apt-get install -y --no-install-recommends python3 make g++ ca-certificates \
  && rm -rf /var/lib/apt/lists/*
@@ -14,21 +16,24 @@ FROM deps AS build
 WORKDIR /app
 COPY app/ ./
 RUN rm -f data.db data.db-shm data.db-wal && rm -rf uploads
-RUN npm run build
 # `astro` is a runtime dependency (required by the @astrojs/node standalone
-# SSR server), so this prune only drops the two devDependencies
+# SSR server), so the prune only drops the two devDependencies
 # (@astrojs/check, @types/node). Astro's transitive build tooling
 # (vite, esbuild, @astrojs/compiler, rollup plugins) stays in node_modules
 # because Astro itself declares them as runtime deps. Slimming those out
 # would require verifying the dist/server bundle never imports `astro/*` at
 # boot; not attempted here. Image-size tradeoff is accepted for now.
-RUN npm prune --omit=dev
+# (build + prune in one layer; separate RUNs would trip hadolint DL3059.)
+RUN npm run build \
+ && npm prune --omit=dev
 
 FROM node:22-bookworm-slim AS runtime
 WORKDIR /app
 ENV NODE_ENV=production \
     HOST=0.0.0.0 \
     PORT=4321
+# bookworm-slim: track the distro's current security-patched versions, don't pin.
+# hadolint ignore=DL3008
 RUN apt-get update \
  && apt-get install -y --no-install-recommends ca-certificates tini \
  && rm -rf /var/lib/apt/lists/* \