Feedback before writing: Install npm packages for production (Docker build)

[goldbergyoni]

Context: This is used to share my TOC of a new best practice so I can solicit feedback and ideas before start writing. From my experience, this makes the writing experience much easier and shorter. And fun.

Title: Install npm packages for production

• TL&DR: When finalizing the docker image for production, a safe package installation should be executed (npm ci) and with only production dependencies
• Otherwise: Dev packages weakness can be used for attacks. Image size is increased for no reason.
• Simple explanation - On the need to ship a safe image to production, what can go wrong with dev dependency (some of the last attacks were on dev packages), what can go wrong when not using 'npm ci', why image size is increased. What if we do need the dev dependency in Docker, how to remove them finally
• Advanced tip - As a bonus, we can also clean the npm cache and reduce the image size even more
• Code example: RUN npm ci --production && npm cache clean --force

Thoughts? improvement? Help me to make it better

[kibertoad]

What about npm set progress=false if we are talking about CI? (should be less relevant since npm/npm#11283 is resolved, though)

[goldbergyoni]

Nice tip, wasn't aware of this command. Is this still useful in latest versions of npm?

[kibertoad]

I didn't benchmark it myself; from my understanding it provides a minor boost still, but nowhere near as significant as it was in the past (prior to 3.10.0)

[stale]

Hello there! 👋
This issue has gone silent. Eerily silent. ⏳
We currently close issues after 100 days of inactivity. It has been 90 days since the last update here.
If needed, you can keep it open by replying here.
Thanks for being a part of the Node.js Best Practices community! 💚