build: Update libraries to latest version

ci/java-builder/Dockerfile

@@ -1,24 +1,27 @@
 # KollectAI CI — Java Builder Image
 #
 # Pre-baked build environment for backend + plugin CI jobs.
-# Contains: Java 21, Maven 3.9.9, Node.js + pnpm, buf CLI, OWASP NVD
+# Contains: Java 25, Maven 3.9.x, Node.js 24 + pnpm 11, buf CLI, OWASP NVD
 # database, ORAS CLI, common dependencies.
 #
 # Build:
-#   docker build -t 192.168.1.72/kollect-tools/ci/java-builder:latest ci/java-builder/
+#   docker build -t kcr.kollect.biz/kollect-tools/ci/java-builder:latest ci/java-builder/
 #
 # Usage in CI:
 #   container:
-#     image: 192.168.1.72/kollect-tools/ci/java-builder:latest
+#     image: kcr.kollect.biz/kollect-tools/ci/java-builder:latest
+#
+# RUN order is cache-optimised: most stable / most expensive layers come
+# first, most volatile / cheapest layers come last. Bumping a version
+# only invalidates that layer and everything below it, so volatile pins
+# (pnpm, buf) live near the bottom to avoid forcing OWASP NVD or Maven
+# downloads to re-run.
 
 ARG JAVA_VERSION=25
 FROM eclipse-temurin:${JAVA_VERSION}-jdk-jammy
 
-ARG MAVEN_VERSION=3.9.14
-ARG OWASP_DC_VERSION=12.1.1
-ARG NVD_API_KEY=""
 # ─────────────────────────────────────────────────────────────────────
-# System dependencies
+# System dependencies + Node.js
 # ─────────────────────────────────────────────────────────────────────
 ARG NODE_MAJOR=24
 
@@ -40,6 +43,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 # ─────────────────────────────────────────────────────────────────────
 # Maven
 # ─────────────────────────────────────────────────────────────────────
+ARG MAVEN_VERSION=3.9.15
 ENV MAVEN_HOME=/opt/maven
 ENV PATH="${MAVEN_HOME}/bin:${PATH}"
 
@@ -56,6 +60,8 @@ RUN curl -fsSL "https://dlcdn.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries
 #
 # Rebuild this image weekly to keep the NVD database fresh.
 # ─────────────────────────────────────────────────────────────────────
+ARG OWASP_DC_VERSION=12.2.1
+ARG NVD_API_KEY=""
 ENV OWASP_DATA_DIR=/opt/owasp/dependency-check-data
 
 RUN mkdir -p "${OWASP_DATA_DIR}" \
@@ -65,17 +71,11 @@ RUN mkdir -p "${OWASP_DATA_DIR}" \
         -q || true
 
 # ─────────────────────────────────────────────────────────────────────
-# pnpm — via corepack (ships with Node.js)
+# ORAS CLI — for uploading artifacts to Harbor.
+# Low-volatility static binary; placed before buf/pnpm so a bump here
+# (rare) doesn't invalidate them.
 # ─────────────────────────────────────────────────────────────────────
-ARG PNPM_VERSION=10.15.0
-
-RUN corepack enable \
-    && corepack prepare "pnpm@${PNPM_VERSION}" --activate
-
-# ─────────────────────────────────────────────────────────────────────
-# ORAS CLI — for uploading artifacts to Harbor
-# ─────────────────────────────────────────────────────────────────────
-ARG ORAS_VERSION=1.2.2
+ARG ORAS_VERSION=1.3.2
 
 RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" \
     | tar -xz -C /usr/local/bin oras
@@ -85,12 +85,22 @@ RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_V
 # parity. Backend Java codegen lives in the Maven build (protobuf-maven-
 # plugin), not buf, so no protoc plugins are needed in this image.
 # ─────────────────────────────────────────────────────────────────────
-ARG BUF_VERSION=1.55.0
+ARG BUF_VERSION=1.69.0
 
 RUN curl -fsSL "https://github.com/bufbuild/buf/releases/download/v${BUF_VERSION}/buf-Linux-x86_64" \
     -o /usr/local/bin/buf \
     && chmod +x /usr/local/bin/buf
 
+# ─────────────────────────────────────────────────────────────────────
+# pnpm — via corepack (ships with Node.js).
+# Last because it's the most volatile pin and corepack prepare is the
+# cheapest layer; bumping pnpm shouldn't force any other layer to rebuild.
+# ─────────────────────────────────────────────────────────────────────
+ARG PNPM_VERSION=11.0.1
+
+RUN corepack enable \
+    && corepack prepare "pnpm@${PNPM_VERSION}" --activate
+
 WORKDIR /workspace
 
 # Verify installation