Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not install dev dependencies inside Docker container #361

Open
alkuzad opened this issue Jul 27, 2022 · 3 comments
Open

Do not install dev dependencies inside Docker container #361

alkuzad opened this issue Jul 27, 2022 · 3 comments
Assignees
@joanlopez
Labels
help wanted Extra attention is needed type/enhancement New feature or request

Comments

@alkuzad
Copy link

alkuzad commented Jul 27, 2022

What would you like to be added:

Do not install devDependencies into Docker container

Why is this needed:

Dev dependencies produce security issues and needs to be upgraded but are more likely to be skipped.

These dependencies are now problematic:
GHSA-wpg7-2c88-r8xv
GHSA-mhxj-85r3-2x55
@joanlopez joanlopez self-assigned this Sep 12, 2022
@joanlopez
Copy link
Collaborator

Hi @alkuzad,

Thanks for your request. At first glance, I agree it makes sense to do not install devDependencies inside the Docker container or, at least, to do multi-stage builds to do not include them in the final image.

We'll take a look at possible improvements in that way and will reach you back with any update, thanks!

@joanlopez joanlopez removed their assignment Nov 23, 2022
@joanlopez joanlopez added help wanted Extra attention is needed type/enhancement New feature or request labels Nov 23, 2022
@joanlopez
Copy link
Collaborator

joanlopez commented Nov 23, 2022
edited

Hey,

I looked again into the Dockerfile and it seems it'd be enough with just adding ENV NODE_ENV=production or --production=true at time of installing the dependencies (yarn install).

Would that make sense for you @alkuzad? Do you think that would be enough? Anything else?

Thanks!

PS: cc/ @ArturWierzbicki because I think you have more experience than me with Node apps, so you could confirm as well. Appreciated!

@joanlopez joanlopez self-assigned this Nov 23, 2022
@alkuzad
Copy link
Author

alkuzad commented Nov 23, 2022

@joanlopez yep, docs says that is the flag that disables devDependencies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joanlopez joanlopez

Labels
help wanted Extra attention is needed type/enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alkuzad @joanlopez