diff --git a/.gitignore b/.gitignore
index 444dee5..4ae6947 100644
--- a/.gitignore
+++ b/.gitignore
@@ -248,3 +248,4 @@ tmp/
 # Integration test snapshot — personal to each developer's local input/ PDFs.
 # Never commit updates; the copy on main is kept only as a reference baseline.
 packages/parser-core/tests/integration/snapshots/output_snapshot.json
+.worktrees/
diff --git a/Dockerfile b/Dockerfile
index b7cec82..c72667a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -37,10 +37,11 @@ RUN python -c "import sysconfig; print(sysconfig.get_path('purelib'))" | xargs -
 FROM base AS production
 
 # hadolint ignore=DL3008
-RUN apt-get update && apt-get install -y --no-install-recommends \
+RUN apt-get update && apt-get upgrade -y --no-install-recommends && apt-get install -y --no-install-recommends \
     poppler-utils \
     && rm -rf /var/lib/apt/lists/*
 # poppler-utils is runtime-critical; pinning not practical. Mitigated by Trivy CI gate.
+# apt-get upgrade ensures OS packages (e.g. openssl) are patched at build time (CVE-2026-31789).
 
 RUN groupadd -r appuser && useradd -r -g appuser -u 1000 appuser