Fix Trivy CI: pin libnghttp2-14 to patched deb13u1 for CVE-2026-27135

[akwirick]

Summary

• Today's Trivy scan failed with one HIGH/CRITICAL fixable vuln: CVE-2026-27135 in libnghttp2-14, pulled transitively via wget → libcurl3-gnutls in the runtime image.
• Pins libnghttp2-14=1.64.0-1.1+deb13u1 (the Debian trixie security-tracker fix) alongside the existing libngtcp2-* pins added in Fix Trivy CI: pin libngtcp2 to patched deb13u1 for CVE-2026-40170 #99 for CVE-2026-40170. Same pattern, same justification.

Test plan

• CI Trivy scan passes (no HIGH/CRITICAL findings)
• Image still builds on linux/amd64 and linux/arm64
• Local trivy image --severity HIGH,CRITICAL --ignore-unfixed on the rebuilt image confirms CVE-2026-27135 drops

Session: d85c2c45 · Worktree: axon/primary

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Updates the runtime Docker image dependency installation to ensure Trivy no longer flags a fixable HIGH/CRITICAL vulnerability by pinning a patched Debian package version, following the existing approach used for prior transitive-dependency CVE fixes.

Changes:

• Pin libnghttp2-14 to 1.64.0-1.1+deb13u1 in the runtime-stage apt-get install to address CVE-2026-27135.
• Update the Dockerfile comment to document the additional pin and associated CVE.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.