diff --git a/Dockerfile b/Dockerfile
index 63912b9..bf132df 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,10 +1,10 @@
-FROM oven/bun:latest AS base
+FROM node:22-alpine AS base
 
 # Install dependencies only when needed
 FROM base AS deps
 WORKDIR /app
-COPY package.json ./
-RUN bun install
+COPY package.json package-lock.json* ./
+RUN npm install
 
 # Rebuild the source code only when needed
 FROM base AS builder
@@ -14,32 +14,44 @@ COPY . .
 
 # Build Next.js
 ENV NEXT_TELEMETRY_DISABLED=1
-RUN bun run build
+RUN npm run build
 
-# # Production image, copy all the files and run next
+# Production image, copy all the files and run next
 FROM base AS runner
 WORKDIR /app
 
 ENV NODE_ENV=production
 ENV NEXT_TELEMETRY_DISABLED=1
 
+RUN addgroup --system --gid 1001 nodejs
+RUN adduser --system --uid 1001 nextjs
+
 # Copy public folder
 COPY --from=builder /app/public ./public
 
 # Set permission for prerender cache
 RUN mkdir .next
+RUN chown nextjs:nodejs .next
 
 # Automatically leverage output traces to reduce image size
-COPY --from=builder /app/.next/standalone ./
-COPY --from=builder /app/.next/static ./.next/static
+COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
+COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
 
-# Copy migrations and migration script
-COPY --from=builder /app/drizzle ./drizzle
-COPY --from=builder /app/src/db/migrate.ts ./src/db/migrate.ts
-COPY --from=builder /app/src ./src
+# Copy migrations (from context/builder, since they are in the repo now)
+# NOTE: The build process (npm run build) might adhere to .next exclusions or changes
+# Since we did COPY . . in builder, /app/drizzle should exist there.
+# Let's be explicit and verify what's happening.
+COPY --from=builder --chown=nextjs:nodejs /app/drizzle ./drizzle
+COPY --from=builder --chown=nextjs:nodejs /app/src/db/migrate.ts ./src/db/migrate.ts
 
-RUN bun install drizzle-orm pg dotenv
+# Runtime dependencies
+RUN npm install -g tsx
+RUN npm install drizzle-orm pg dotenv
 
+# Copy the source so tsx can run migrate.ts
+COPY --from=builder --chown=nextjs:nodejs /app/src ./src
+
+USER nextjs
 
 EXPOSE 3000
 
@@ -47,4 +59,4 @@ ENV PORT=3000
 ENV HOSTNAME="0.0.0.0"
 
 # Custom entrypoint to run migrations then start app
-CMD ["sh", "-c", "bun --bun run src/db/migrate.ts && bun --bun run server.js"]
\ No newline at end of file
+CMD ["sh", "-c", "npx tsx src/db/migrate.ts && node server.js"]
\ No newline at end of file