chore: fix 5 open security alerts and bump Node to v24

Bump all Docker base images from node:16-slim/node:lts-alpine to
node:24-slim/node:24-alpine. Node 24 ships a newer bundled npm that
resolves the brace-expansion (GHSA-jxxr-4gwj-5jf2) and ip-address
(GHSA-v2v4-37r5-5v8g) image-scan alerts; the rebuild also picks up
pm2@7 with a patched ws (GHSA-58qx-3vcg-4xpx).

Override js-yaml to ^4.2.0 in server and client to close the
CVE-2026-53550 DoS alert in both package-lock files. Both projects
use .eslintrc.js so the removed safeLoad API is never invoked.

Author: rubenhensen

Dockerfile.prod

@@ -1,5 +1,5 @@
 # Build client frontend
-FROM node:lts-alpine AS fe-builder
+FROM node:24-alpine AS fe-builder
 LABEL maintainer="support@yivi.app"
 
 ENV PATH=/app/node_modules/.bin:$PATH
@@ -13,7 +13,7 @@ RUN npm run build
 ##################################
 
 # Build server backend
-FROM node:lts-alpine AS be-builder
+FROM node:24-alpine AS be-builder
 LABEL maintainer="support@yivi.app"
 
 ENV PATH=/app/node_modules/.bin:$PATH
@@ -39,7 +39,7 @@ COPY ./server/static ./dist/static
 ##################################
 
 # Build server and include frontend (docroot is set to ../client in config.json)
-FROM node:lts-alpine
+FROM node:24-alpine
 
 COPY --from=be-builder /app/dist/. /server
 COPY --from=fe-builder /app/dist/. /client

client/Dockerfile

@@ -1,4 +1,4 @@
-FROM node:16-slim
+FROM node:24-slim
 
 RUN mkdir -p /usr/src/app