build: optimize Dockerfiles for production and pin dependencies

Implement multi-stage build and static server for frontend
Run containers as non-root user and set production environment
Pin all package dependencies to exact versions

backend/Dockerfile

@@ -1,11 +1,17 @@
 FROM node:22-alpine
 
+WORKDIR /app
+COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+COPY backend/package.json ./backend/package.json
+COPY frontend/package.json ./frontend/package.json
+RUN corepack enable && corepack prepare pnpm@10.33.2 --activate && pnpm install --frozen-lockfile --filter @pokopia/backend...
+COPY backend ./backend
+COPY data ./data
+COPY system-wordings.ts ./system-wordings.ts
+RUN mkdir -p /app/uploads && chown -R node:node /app
+
+ENV NODE_ENV=production
 WORKDIR /app/backend
-COPY backend/package.json ./
-RUN corepack enable && pnpm install
-COPY backend/. .
-COPY data /app/data
-COPY package.json /app/package.json
-COPY system-wordings.ts /app/system-wordings.ts
+USER node
 EXPOSE 3001
 CMD ["pnpm", "run", "start"]

backend/package.json

@@ -13,17 +13,17 @@
     "test": "node --test --import tsx tests/*.test.ts"
   },
   "dependencies": {
-    "@fastify/cors": "latest",
-    "@fastify/multipart": "^10.0.0",
-    "@fastify/rate-limit": "^10.3.0",
-    "@fastify/static": "^9.1.3",
-    "fastify": "latest",
-    "pg": "latest"
+    "@fastify/cors": "11.2.0",
+    "@fastify/multipart": "10.0.0",
+    "@fastify/rate-limit": "10.3.0",
+    "@fastify/static": "9.1.3",
+    "fastify": "5.8.5",
+    "pg": "8.20.0"
   },
   "devDependencies": {
-    "@types/node": "latest",
-    "@types/pg": "latest",
-    "tsx": "latest",
-    "typescript": "latest"
+    "@types/node": "25.6.0",
+    "@types/pg": "8.20.0",
+    "tsx": "4.21.0",
+    "typescript": "6.0.3"
   }
 }