You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thanks for your request. At first glance, I agree it makes sense to do not install devDependencies inside the Docker container or, at least, to do multi-stage builds to do not include them in the final image.
We'll take a look at possible improvements in that way and will reach you back with any update, thanks!
I looked again into the Dockerfile and it seems it'd be enough with just adding ENV NODE_ENV=production or --production=true at time of installing the dependencies (yarn install).
Would that make sense for you @alkuzad? Do you think that would be enough? Anything else?
Thanks!
PS: cc/ @ArturWierzbicki because I think you have more experience than me with Node apps, so you could confirm as well. Appreciated!
What would you like to be added:
Do not install devDependencies into Docker container
Why is this needed:
Dev dependencies produce security issues and needs to be upgraded but are more likely to be skipped.
These dependencies are now problematic:
GHSA-wpg7-2c88-r8xv
GHSA-mhxj-85r3-2x55
The text was updated successfully, but these errors were encountered: