diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8ef1dcc..7d4658a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## Unreleased
 
+### Changed
+
+- **Docker**: Migrate base image from `node:22-slim` (Debian Bookworm) to `node:22-alpine`. Alpine carries no gnutls library and uses OpenSSL directly, removing a class of OS-level package vulnerabilities present in the Debian slim image. Also swaps `npm install` for `npm ci` in the install step for reproducible, lockfile-exact builds.
+
 ## 0.12.3 - 2026-06-11
 
 ### Changed
diff --git a/Dockerfile b/Dockerfile
index 1c3a6f7..b939a90 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:22-slim
+FROM node:22-alpine
 
 # Upgrade npm to fix CVE-2026-33750 (brace-expansion < 2.0.3 bundled in npm 10.x)
 RUN npm install -g npm@11.16.0
@@ -10,7 +10,7 @@ WORKDIR /app
 COPY package*.json ./
 
 # Install dependencies - completely skip prepare scripts during Docker build
-RUN npm install --ignore-scripts
+RUN npm ci --ignore-scripts
 
 # Copy the rest of the application
 COPY . .