Is using cache for npm install in docker safe?

I was wondering about the point `8.1 Use multi-stage builds for leaner and more secure Docker images` and the example stated there:
```Dockerfile
FROM node:14.4.0 AS build

COPY . .
RUN npm ci && npm run build


FROM node:slim-14.4.0

USER node
EXPOSE 8080

COPY --from=build /home/node/app/dist /home/node/app/package.json /home/node/app/package-lock.json ./
RUN npm ci --production

CMD [ "node", "dist/app.js" ]
```
My idea here for speed up this build by using the cache:
```Dockerfile
FROM node:14.4.0 AS build

COPY . .
RUN npm ci --cache .npm --prefer-offline && npm run build


FROM node:slim-14.4.0

USER node
EXPOSE 8080

COPY --from=build /home/node/app/.npm ./.npm
COPY --from=build /home/node/app/dist /home/node/app/package.json /home/node/app/package-lock.json ./
RUN npm ci --production --cache .npm --prefer-offline

CMD [ "node", "dist/app.js" ]
```
But the only consideration that I have is `Is it safe`?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Is using cache for npm install in docker safe? #1297

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Is using cache for npm install in docker safe? #1297

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions