diff --git a/.github/workflows/security-pr.yml b/.github/workflows/security-pr.yml
index e1ed8120..6430063c 100644
--- a/.github/workflows/security-pr.yml
+++ b/.github/workflows/security-pr.yml
@@ -286,7 +286,7 @@ jobs:
       - name: Upload Trivy SARIF to GitHub Security
         if: always() && steps.trivy-sarif-check.outputs.exists == 'true'
         # github/codeql-action v4
-        uses: github/codeql-action/upload-sarif@28737ec792fa19d1d04dc0dc299f1de0559a9635
+        uses: github/codeql-action/upload-sarif@16adc4e6724ac45e5514b2814142af61054bcd2a
         with:
           sarif_file: 'trivy-binary-results.sarif'
           category: ${{ steps.pr-info.outputs.is_push == 'true' && format('security-scan-{0}', github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.ref_name) || format('security-scan-pr-{0}', steps.pr-info.outputs.pr_number) }}
diff --git a/Dockerfile b/Dockerfile
index d5088a2a..82e70fe8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -68,7 +68,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
 # ---- Frontend Builder ----
 # Build the frontend using the BUILDPLATFORM to avoid arm64 musl Rollup native issues
 # renovate: datasource=docker depName=node
-FROM --platform=$BUILDPLATFORM node:24.13.1-alpine AS frontend-builder
+FROM --platform=$BUILDPLATFORM node:24.14.0-alpine AS frontend-builder
 WORKDIR /app/frontend
 
 # Copy frontend package files