chore: migrate Docker base image from node:22-slim to node:22-alpine

[Valiunia]

Summary

Migrates the Docker base image from node:22-slim (Debian Bookworm) to node:22-alpine. Also swaps npm install for npm ci in the install step.

node:22-slim ships several Debian system packages not needed by this server. Alpine uses OpenSSL directly and omits the gnutls library, removing a class of OS-level package vulnerabilities carried by the Debian slim base.

npm ci installs exactly what is in package-lock.json rather than re-resolving version ranges, making Docker builds reproducible and failing loudly if the lockfile and package.json diverge.

Test plan

• docker build . completes without errors on the Alpine base
• Full test suite passes when run inside the built container (docker run --rm <image> sh -c "cd /app && npm test")
• MCP stdio smoke test: initialize + tools/list handshake completes; all 28 tools register correctly
• Live API calls verified against three tools inside the running container — all returned correct results

search_and_geocode_tool — forward geocode "Eiffel Tower, Paris"

{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"search_and_geocode_tool","arguments":{"q":"Eiffel Tower, Paris"}}}

Returned multiple ranked results including the Eiffel Tower in Paris, France with correct coordinates.

reverse_geocode_tool — coordinates 40.7484, -73.9857

{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"reverse_geocode_tool","arguments":{"longitude":-73.9857,"latitude":40.7484}}}

Returned:

1. 350 Fifth Avenue (350 Fifth Avenue)
   Address: 350 Fifth Avenue, New York, New York 10118, United States
   Coordinates: 40.74843, -73.985667
   Type: address

directions_tool — driving route SF → Oakland

{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"directions_tool","arguments":{"coordinates":[{"longitude":-122.4194,"latitude":37.7749},{"longitude":-122.2712,"latitude":37.8044}],"routing_profile":"mapbox/driving"}}}

Returned a route via I-80 East, duration 1522s, distance 19848m, average speed 66 kph.

Notes

Alpine uses musl libc instead of glibc. This server has no native addons compiled against glibc, so no compatibility issues are expected. If a future dependency introduces a native addon with glibc requirements, the base image choice should be revisited at that point.

[prisma-cloud-devsecops]

Prisma Cloud has found errors in this PR ⬇️

[prisma-cloud-devsecops]

openssl 3.5.6-r0 / Dockerfile.FROM

Total vulnerabilities: 9

Critical: 1	High: 8	Medium: 0	Low: 0

Vulnerability ID	Severity	CVSS	Fixed in	Status
CVE-2026-34182	CRITICAL	9.1	3.5.7-r0	Open
CVE-2026-34181	HIGH	7.4	3.5.7-r0	Open
CVE-2026-34180	HIGH	7.5	3.5.7-r0	Open
CVE-2026-34183	HIGH	7.5	3.5.7-r0	Open
CVE-2026-42764	HIGH	7.5	3.5.7-r0	Open
CVE-2026-45445	HIGH	7.5	3.5.7-r0	Open
CVE-2026-9076	HIGH	7.5	3.5.7-r0	Open
CVE-2026-7383	HIGH	8.1	3.5.7-r0	Open
CVE-2026-45447	HIGH	8.8	3.5.7-r0	Open

[Valiunia]

closing because of prisma