diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8ef1dcc..c264163 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## Unreleased
 
+### Changed
+
+- **Docker**: Remove `libgnutls30` from the runtime image via `dpkg --remove --force-depends`. The package is only depended on by `apt`, which is not needed at runtime. `libgnutls30` is not called by Node.js (which uses OpenSSL for TLS) and was present solely as a transitive system dependency of the Debian slim base.
+
 ## 0.12.3 - 2026-06-11
 
 ### Changed
diff --git a/Dockerfile b/Dockerfile
index 1c3a6f7..7072da4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,9 @@
 FROM node:22-slim
 
+# Remove gnutls from the runtime image. libgnutls30 is only depended on by apt,
+# which is not needed at runtime. Force-remove after all apt operations are done.
+RUN dpkg --remove --force-depends libgnutls30
+
 # Upgrade npm to fix CVE-2026-33750 (brace-expansion < 2.0.3 bundled in npm 10.x)
 RUN npm install -g npm@11.16.0