build: upgrade base images to Debian trixie and Poetry 2.4.1

[wtfiwtz]

• Node base: node:24-bookworm → node:24-trixie
• Python base: python:3.13-slim-bookworm → python:3.13-slim-trixie
• Add trixie-security, trixie-updates, and trixie-proposed-updates repos
• Apply targeted security upgrades before installing packages
• MSSQL packages repo: debian/12 → debian/13
• POETRY_VERSION: 2.1.4 → 2.4.1
• Upgrade pip/setuptools/wheel before Poetry install

What type of PR is this?

• Refactor
• Feature
• Bug Fix
• New Query Runner (Data Source)
• New Alert Destination
• Other

Description

How is this tested?

• Unit tests (pytest, jest)
• E2E Tests (Cypress)
• Manually
• N/A

Related Tickets & Documents

Mobile & Desktop Screenshots/Recordings (if there are UI changes)

[wtfiwtz]

Disclaimer: This comment was AI-generated to summarize the CVE and advisory coverage for this PR. Please verify against your scanner output (e.g. Docker Scout, ECR, Trivy) and release notes before treating it as authoritative.

CVE / advisory coverage for PR #7718 (fix/dockerfile-trixie-build-tools)

This PR is infrastructure-only (Dockerfile + frontend build dependency). It does not change application Python/npm dependency versions in pyproject.toml or security-related frontend overrides — those are handled in the other split PRs.

What this PR fixes

1. Debian OS packages (runtime image)

Change	Security effect
Base: python:3.13-slim-bookworm → python:3.13-slim-trixie	Newer Debian stable with current security maintenance
Frontend builder: node:24-bookworm → node:24-trixie	Same for Node build stage
Add trixie-security, trixie-updates, trixie-proposed-updates apt sources	Pulls security-pocket packages at image build time
apt-get -t trixie-security upgrade before package install	Applies Debian Security Advisory (DSA) fixes to installed/base packages

Typical OS-level findings addressed (exact CVE IDs depend on image scan date and trixie-security contents at build time):

• OpenSSL / libssl advisories
• libxml2 advisories (XML parsing; relevant to SAML xmlsec1 stack)
• nghttp2 / HTTP/2 stack advisories
• PostgreSQL client (libpq) advisories
• Other transitive Debian packages in the slim image and build-deps layer

This PR does not enumerate specific DSA/CVE IDs in the Dockerfile — remediation is “build from trixie + run security archive upgrade,” which picks up whatever DSAs are current when the image is built.

2. Build-time Python tooling (pip bootstrap)

Pin	Known advisory addressed
setuptools>=78.1.1	CVE-2025-47273 (path traversal in sdist extraction)
pip>=26.1, wheel>=0.46.2	Current pip/wheel security patch levels at install time

These are upgraded before Poetry install in the runtime image build.

3. Other Dockerfile changes (not direct CVE fixes)

Change	Notes
Poetry 2.1.4 → 2.4.1	Build tooling update
MSSQL repo debian/12 → debian/13	Required for trixie; keeps ODBC driver install working
core-js ^2.6.12 (2nd commit)	Build fix, not a CVE fix — satisfies @babel/preset-env useBuiltIns: "usage" / corejs: 2 so pnpm run build resolves polyfill imports under pnpm

What is not fixed by this PR

Area	Handled in
Werkzeug, authlib, cryptography, Flask, Jinja2, PyJWT, etc.	#7719 / #7722
axios, dompurify, lodash, npm transitive overrides	#7720
urllib3 2.x + champion SSRF	#7721
jwcrypto 1.5.7 (CVE-2026-39373)	Not in any split branch yet
bootstrap@3.4.1 (CVE-2019-8331, CVE-2025-1647)	Accepted / frontend migration
paramiko (CVE-2026-44405)	Blocked by sshtunnel compatibility

Scanning note

Re-scan the built image after merge to confirm OS CVE count drops vs bookworm. Because trixie-security is applied at build time, identical Dockerfile rebuilds on different dates may resolve different CVE sets as new DSAs land.

[cubic-dev-ai]

No issues found across 3 files

_{Re-trigger cubic}