diff --git a/Dockerfile b/Dockerfile
index b66efdb..2e14174 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -14,11 +14,17 @@ WORKDIR /app
 RUN apk add --no-cache libc6-compat
 ENV NODE_ENV=production
 
+# Run as non-root user to limit impact of any future compromise
+RUN addgroup --system --gid 1001 nodejs && \
+    adduser --system --uid 1001 nextjs
 COPY --from=builder /app/.next ./.next
 COPY --from=builder /app/public ./public
 COPY --from=builder /app/node_modules ./node_modules
 COPY --from=builder /app/package-lock.json ./
 COPY --from=builder /app/package.json ./
+RUN chown -R nextjs:nodejs /app
+USER nextjs
 EXPOSE 3000
 
-CMD ["npm", "run", "start"]
\ No newline at end of file
+# Run Next directly (no shell) to reduce attack surface
+CMD ["node", "node_modules/next/dist/bin/next", "start"]
\ No newline at end of file
diff --git a/package.json b/package.json
index b8ee94c..d883ada 100644
--- a/package.json
+++ b/package.json
@@ -26,7 +26,7 @@
     "date-fns": "^4.1.0",
     "embla-carousel-react": "^8.6.0",
     "lucide-react": "^0.546.0",
-    "next": "15.5.5",
+    "next": "15.5.7",
     "react": "19.1.0",
     "react-day-picker": "^9.11.1",
     "react-dom": "19.1.0",
@@ -42,7 +42,7 @@
     "@types/react": "^19",
     "@types/react-dom": "^19",
     "eslint": "^9",
-    "eslint-config-next": "15.5.5",
+    "eslint-config-next": "15.5.7",
     "tailwindcss": "^4",
     "turbo": "^2.6.3",
     "typescript": "5.9.3"