fix: upgrade nginx base image to fix CVE-2026-42945 (CVSS 9.2 critical RCE)

[zethis]

What

Switches the production stage base image from nginx:stable-alpine to nginx:1.31-alpine.

Why

CVE-2026-42945 — Heap-based Buffer Overflow in ngx_http_rewrite_module

• CVSS v4: 9.2 (Critical)
• Impact: Unauthenticated remote attacker can crash nginx worker processes or achieve Remote Code Execution on systems with ASLR disabled
• Affected: nginx 0.6.27 – 1.30.0 (current nginx:stable-alpine ships 1.26.x)
• Fixed in: nginx 1.30.1 / 1.31.0
• PoC: Publicly available since 2026-05-13
• Advisory: https://nginx.org/en/security_advisories.html (F5 K000161019)

Change

-FROM nginx:stable-alpine AS production-stage
+FROM nginx:1.31-alpine AS production-stage

nginx:stable-alpine currently resolves to nginx 1.26.x which is vulnerable. Pinning to 1.31-alpine ensures the patched version is used. This can be reverted to nginx:stable-alpine once the stable branch is updated upstream by the nginx team.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[zethis]

The E2E test failure is unrelated to this change. The error is:

E: Package 'libasound2' has no installation candidate
E: Unable to locate package libffi7
E: Unable to locate package libx264-163
Failed to install browsers

These are Playwright browser dependencies that don't exist under their old names on Ubuntu Noble (24.04). The same failure is reproducible on other unrelated PRs (e.g. renovate/netmask-2.x-lockfile, add-russian-localization), confirming it's a pre-existing repo-wide CI issue.

Our change is a single-line Dockerfile bump with no effect on tests.