Update Dockerfile alpine packages for cve fixes

[bjee19]

Update Dockerfile alpine packages libexpat and tiff to fix cves.

Verified NGINX Plus image does not contain libexpat or tiff alpine packages, and after these changes, the packages in the built docker image have the updated versions.

[bjee19]

when running:

docker run --rm \
  --entrypoint /bin/sh \
  nginx-gateway-fabric/nginx:b.jee \
  -c 'apk list --installed'

this is output:

...
libexpat-2.7.2-r0 aarch64 {expat} (MIT) [installed]
...
tiff-4.7.1-r0 aarch64 {tiff} (libtiff) [installed]

showing the correctly updated packages are in the nginx image.

when running:

docker run --rm \
  --entrypoint /bin/sh \
  nginx-gateway-fabric/nginx-plus:b.jee \
  -c 'apk list --installed'

Neither libexpat or tiff are installed. Meaning these packages are not in the nginx plus image and that image is not affected by these cves.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.80%. Comparing base (f0b6a3d) to head (a8b114e).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3973      +/-   ##
==========================================
- Coverage   86.80%   86.80%   -0.01%     
==========================================
  Files         128      128              
  Lines       16607    16607              
  Branches       62       62              
==========================================
- Hits        14416    14415       -1     
- Misses       2007     2009       +2     
+ Partials      184      183       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bjee19]

Apparently alpine will only keep the latest image for these dependencies https://dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64/. Meaning we cannot pin the version to 4.7.2-r0 since the dependency won't exist (you can see it doesn't exist, 4.7.3-r0 already came out). Doing a >= will guarantee it will be above the version we need.