Greptile Summary

This PR addresses Trivy-reported vulnerabilities by upgrading the bundled Prometheus binary from 2.53.4 to 3.5.3 (LTS) and removing npm/npx from the runtime Docker image.

• Prometheus 3.5.3 upgrade: SHA256 hashes for all four architectures (linux/amd64, darwin/amd64, darwin/arm64) were verified against the official Prometheus download page. All CLI flags currently used (--config.file, --web.enable-admin-api, --storage.tsdb.retention.time, --storage.tsdb.path, --web.listen-address, --log.level) remain valid in Prometheus v3; the scrape configuration format and API endpoints (/api/v1/query, /api/v1/query_range, /api/v1/status/flags) are unchanged.
• npm/npx removal from Docker image: cmd.sh only invokes node directly, so stripping /usr/local/lib/node_modules/npm and the npm/npx symlinks is safe and reduces the image's vulnerability surface.

Confidence Score: 5/5

Safe to merge — the Prometheus v3 flags and scrape config used by the codebase are unchanged, SHA256 hashes are verified, and the npm removal does not affect the runtime entrypoint.

The diff touches only two well-scoped concerns: a version bump with verified checksums and a surface-reduction in the Docker image. All CLI flags passed to Prometheus are confirmed valid in v3, the scrape config format is unchanged, and the runtime entrypoint (cmd.sh) never calls npm or npx.

No files require special attention.

Important Files Changed

_{Reviews (1): Last reviewed commit: "lib upgrades for trivy issues" | Re-trigger Greptile}

Yeah, I split this out because it came up while I was working on #1704 but I agree that there's no pressing need to do these upgrades. Particularly if they require deeper migration planning we can drop this one for now.