fix(proxy): pin nginx and certbot images

[hassaansaleem28]

Proposed change

Resolves #3824

Pinned proxy images in docker-compose/proxy/compose.yaml to explicit versions for deterministic deployments. Dependabot already tracks docker-compose/proxy, so future updates will come via PRs.

Checklist

• Required: I followed the contributing workflow
• Required: I verified that my code works as intended and resolves the issue as described
• Required: I ran make check-test locally: all warnings addressed, tests passed
• I used AI for code, documentation, tests, or communication related to this PR

[coderabbitai]

Walkthrough

Pinned proxy images in docker-compose/proxy/compose.yaml: nest-certbot updated to certbot/certbot:v5.3.0 and nest-nginx updated to nginx:1.28.2-alpine.

Changes

Cohort / File(s)	Summary
Docker Compose — proxy docker-compose/proxy/compose.yaml	Updated image tags for proxy services: nest-certbot.image changed to certbot/certbot:v5.3.0; nest-nginx.image changed to nginx:1.28.2-alpine. No other service configuration changes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: pinning nginx and certbot images to explicit versions for deterministic deployments.
Linked Issues check	✅ Passed	The PR successfully addresses issue #3824 by pinning both nginx (1.28.2-alpine) and certbot (v5.3.0) images to explicit versions, enabling deterministic deployments and Dependabot tracking.
Out of Scope Changes check	✅ Passed	The changes are entirely in-scope: only image version tags were updated in docker-compose/proxy/compose.yaml, directly addressing the pinning requirement from issue #3824.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The pull request description clearly relates to the changeset, referencing the resolved issue #3824 and describing the pinning of proxy images to explicit versions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 1 file

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@docker-compose/proxy/compose.yaml`:
- Line 20: The nginx image is pinned to an outdated tag "image:
nginx:1.26.2-alpine" in the compose service; update the image to the current
stable release by replacing that tag with "nginx:1.28.2-alpine" (or use a
maintained alias like "nginx:stable-alpine") so the proxy uses the latest
security-fixed nginx version; ensure any CI/build docs referencing the old tag
are updated accordingly.
- Line 5: The certbot image is pinned to an outdated tag
"certbot/certbot:v2.11.0"; update the image reference in the docker-compose
service to a current stable Certbot release (e.g., change
"certbot/certbot:v2.11.0" to "certbot/certbot:v5.3.0" or another current pinned
5.x tag) so the compose.yaml uses an up-to-date, security-patched Certbot image.

[arkid15r]

This one is still in draft, just FYI

[hassaansaleem28]

@cubic-dev-ai

Review this PR.

[cubic-dev-ai]

@cubic-dev-ai

Review this PR.

@hassaansaleem28 I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

No issues found across 1 file

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.13%. Comparing base (aaad3cb) to head (b03b201).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3848   +/-   ##
=======================================
  Coverage   93.13%   93.13%           
=======================================
  Files         463      463           
  Lines       14531    14531           
  Branches     2061     2061           
=======================================
  Hits        13533    13533           
  Misses        538      538           
  Partials      460      460           

Flag	Coverage Δ
backend	95.65% <ø> (ø)
frontend	86.28% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update aaad3cb...b03b201. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.