Fix CVEs: install gosu 1.19 and fzf 0.71.0 from GitHub releases instead of Debian packages

Dockerfile

@@ -26,7 +26,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     jq \
     ripgrep \
     fd-find \
-    fzf \
     tree \
     less \
     vim-tiny \
@@ -37,13 +36,19 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && ln -s /usr/bin/fdfind /usr/local/bin/fd \
     && rm -rf /var/lib/apt/lists/*
 
-# ── gosu (install from GitHub for current Go version, avoids CVEs in Debian package)
-ARG GOSU_VERSION=1.17
+# ── gosu (install from GitHub to avoid CVEs in Debian's old Go-compiled package)
+ARG GOSU_VERSION=1.19
 RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "amd64" ;; arm64) echo "arm64" ;; *) echo "amd64" ;; esac) && \
     curl -fsSL "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${ARCH}" -o /usr/local/bin/gosu && \
     chmod +x /usr/local/bin/gosu && \
     gosu --version
 
+# ── fzf (install from GitHub to avoid CVEs in Debian's old Go-compiled package)
+ARG FZF_VERSION=0.71.0
+RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "amd64" ;; arm64) echo "arm64" ;; *) echo "amd64" ;; esac) && \
+    curl -fsSL "https://github.com/junegunn/fzf/releases/download/v${FZF_VERSION}/fzf-${FZF_VERSION}-linux_${ARCH}.tar.gz" | tar -xz -C /usr/local/bin fzf && \
+    fzf --version
+
 # Set locale
 RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen
 ENV LANG=en_US.UTF-8