diff --git a/.dockerignore b/.dockerignore
index 28082661f..135a5fad0 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -96,6 +96,9 @@ mojo
 spec
 scripts
 .claude
+
+# Allow postinstall patch script for node-deps base image
+!scripts/patch-bundled-deps.sh
 dist
 
 # Allow specific dbal paths through for app builds
diff --git a/deployment/base-images/Dockerfile.node-deps b/deployment/base-images/Dockerfile.node-deps
index d01245046..bd2cb1526 100644
--- a/deployment/base-images/Dockerfile.node-deps
+++ b/deployment/base-images/Dockerfile.node-deps
@@ -51,6 +51,9 @@ COPY translations/package.json                         ./translations/
 COPY types/package.json                                ./types/
 COPY workflow/package.json                             ./workflow/
 
+# Postinstall patch script (patches vulnerable bundled deps in npm)
+COPY scripts/patch-bundled-deps.sh                     ./scripts/
+
 # Install all workspace deps (generates lock file from package.json manifests)
 RUN npm config set fetch-retries 5 \
     && npm config set fetch-retry-mintimeout 20000 \