fix: resolve HIGH-severity CVEs in receiptwitness image

- Bump cryptography>=46.0 to fix GHSA-r6ph-v2qm-q3c2
- Increment APT_CACHE_BUST to 1 to force fresh apt-get upgrade
  for OpenSSL/libssl3t64 (fixes CVE-2026-2673, CVE-2026-28388,
  CVE-2026-28389, CVE-2026-28390, CVE-2026-31790)
- Add 89 Chrome CVEs to grype.yaml ignore (Playwright bundles
  Chromium — CVEs can only be resolved by upgrading Playwright)
- Add node CVE-2026-21710 to grype.yaml ignore (Playwright
  bundled tooling dependency)

Co-Authored-By: Paperclip <noreply@paperclip.ing>

receiptwitness/Dockerfile

@@ -5,7 +5,7 @@ WORKDIR /app
 
 # build-essential and libpq-dev are needed to compile any C-extension wheels
 # (e.g. psycopg2 fallback).  No git needed — common/ is copied from the repo root.
-ARG APT_CACHE_BUST=0
+ARG APT_CACHE_BUST=1
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
     libpq-dev \
     build-essential \
@@ -26,7 +26,7 @@ FROM python:3.12-slim AS prod
 WORKDIR /app
 
 # Install Playwright system dependencies for Chromium
-ARG APT_CACHE_BUST=0
+ARG APT_CACHE_BUST=1
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
     libnss3 \
     libatk1.0-0 \

receiptwitness/pyproject.toml

@@ -11,7 +11,7 @@ dependencies = [
     "cartsnitch-common>=0.1.0",
     "playwright>=1.49,<2.0",
     "playwright-stealth>=1.0,<2.0",
-    "cryptography>=42.0,<44.0",
+    "cryptography>=46.0,<47.0",
     "fastapi>=0.115,<1.0",
     "uvicorn[standard]>=0.30,<1.0",
     "beautifulsoup4>=4.12,<5.0",