diff --git a/server-ce/Dockerfile-base b/server-ce/Dockerfile-base
index dad4b58682..f05927ee5d 100644
--- a/server-ce/Dockerfile-base
+++ b/server-ce/Dockerfile-base
@@ -25,7 +25,6 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
       unattended-upgrades \
       build-essential wget net-tools unzip time poppler-utils optipng strace nginx git python3 python-is-python3 zlib1g-dev libpcre3-dev gettext-base libwww-perl ca-certificates curl gnupg \
       qpdf \
-      inkscape \
 # upgrade base-image, batch all the upgrades together, rather than installing them on-by-one (which is slow!)
 &&  unattended-upgrade --verbose --no-minimal-upgrade-steps \
 # install Node.js https://github.com/nodesource/distributions#nodejs
@@ -100,11 +99,20 @@ RUN apt-get update \
 # opencv-python-headless is the GUI-less OpenCV build (provides cv2) suited to
 # a server. To add more later, append to this list (the cheapest way to cover
 # a library many projects need).
-&&  pip3 install --no-cache-dir --break-system-packages --ignore-installed \
+&&  pip3 install --no-cache-dir --break-system-packages \
       numpy pandas scipy matplotlib seaborn scikit-learn sympy plotly tabulate \
       opencv-python-headless tqdm \
 &&  rm -rf /var/lib/apt/lists/* /root/.cache
 
+# Install Inkscape (for the LaTeX svg package via shell-escape)
+# Must come AFTER the pip installs above: inkscape pulls in python3-numpy via
+# apt, which would block pip from upgrading numpy. With pip's numpy already in
+# /usr/local/lib, apt installs its own copy into /usr/lib alongside it — no
+# conflict — and Python resolves /usr/local/lib first at import time.
+RUN apt-get update \
+&&  apt-get install -y inkscape \
+&&  rm -rf /var/lib/apt/lists/*
+
 # Install decktape + headless Chromium (for exporting RevealJS decks to PDF)
 # -----------------------------------------------------------------------
 # decktape drives a headless Chromium (via Puppeteer) to print the rendered