diff --git a/apps/web/Dockerfile b/apps/web/Dockerfile
index 5b04e06f7b..8a815efc08 100644
--- a/apps/web/Dockerfile
+++ b/apps/web/Dockerfile
@@ -74,12 +74,10 @@ RUN --mount=type=secret,id=database_url \
 #
 FROM base AS runner
 
-# Upgrade Alpine system packages to pick up security patches.
-RUN apk update && apk upgrade --no-cache
-
-# Update npm to latest, then create user
+# Upgrade Alpine system packages to pick up security patches, update npm to latest, then create user
 # Note: npm's bundled tar has a known vulnerability but npm is only used during build, not at runtime
-RUN npm install --ignore-scripts -g npm@latest \
+RUN apk update && apk upgrade --no-cache \
+    && npm install --ignore-scripts -g npm@latest \
     && addgroup -S nextjs \
     && adduser -S -u 1001 -G nextjs nextjs