chore(security): update packages with critical vulnerabilities in jdk Dockerfile

[gjav92]

Summary

This PR addresses critical security vulnerabilities (CVEs) in the Docker images by:

• Fixing CVE-2019-10744 (lodash prototype pollution)
• Fixing CVE-2022-41853 (hsqldb vulnerability)
• Fixing CVE-2025-7783 (form-data unsafe random function)
• Updating base image from Debian Bookworm to Trixie and Java from 17 to 21

Changes

Security Fixes

1. Package-level resolutions (package.json)

   • Added yarn resolutions for [email protected] and form-data@^2.5.4 to fix vulnerabilities in transitive dependencies

2. Docker-specific patches

   • CVE-2019-10744: Added targeted patch for jshs2 package's nested lodash dependency
     • jshs2 is unmaintained (last updated 2017) and bundles vulnerable lodash 3.10.1
     • Temporary fix until migration to modern hive-driver package
   • CVE-2022-41853: Patch JDBC hsqldb JAR from 2.3.2 to 2.7.1 (cannot be fixed via npm/yarn)

3. Base image security updates

   • Updated Node.js base image from Debian Bookworm (12.11) to Trixie (13.1)
   • Upgraded OpenJDK from 17 to 21 for improved security and performance
   • Addresses additional critical CVEs resolved by newer Debian packages

Critical CVEs Fixed:

• CVE-2019-10744: lodash prototype pollution (jshs2 patch)
• CVE-2022-41853: hsqldb RCE vulnerability (JAR update)
• CVE-2025-7783: form-data unsafe random function (resolutions)
• Multiple OS-level CVEs resolved by Debian Trixie base image

Notes

• The jshs2 lodash patch is a pragmatic temporary solution. A proper fix would involve migrating from the unmaintained jshs2 to the actively maintained hive-driver package, which would require code refactoring.
• All security patches are clearly documented in the Dockerfiles for future maintainers
• Base image update provides additional security hardening beyond application-level fixes

Fixes security vulnerabilities identified in Docker image scans with Trivy.