Do not install dev dependencies inside Docker container

[alkuzad]

What would you like to be added:

Do not install devDependencies into Docker container

Why is this needed:

Dev dependencies produce security issues and needs to be upgraded but are more likely to be skipped.

These dependencies are now problematic: https://github.com/advisories/GHSA-wpg7-2c88-r8xv https://github.com/advisories/GHSA-mhxj-85r3-2x55

[joanlopez]

Hi @alkuzad,

Thanks for your request. At first glance, I agree it makes sense to do not install devDependencies inside the Docker container or, at least, to do multi-stage builds to do not include them in the final image.

We'll take a look at possible improvements in that way and will reach you back with any update, thanks!

[joanlopez]

Hey,

I looked again into the Dockerfile and it seems it'd be enough with just adding ENV NODE_ENV=production or --production=true at time of installing the dependencies (yarn install).

Would that make sense for you @alkuzad? Do you think that would be enough? Anything else?

Thanks!

PS: cc/ @ArturWierzbicki because I think you have more experience than me with Node apps, so you could confirm as well. Appreciated!

[alkuzad]

@joanlopez yep, docs says that is the flag that disables devDependencies.