Skip to main content

Remove development dependencies



One Paragraph Explainer

Dev dependencies greatly increase the container attack surface (i.e. potential security weakness) and the container size. As an example, some of the most impactful npm security breaches were originated from devDependencies like eslint-scope or affected dev packages like event-stream that was used by nodemon. For those reasons the image that is finally shipped to production should be safe and minimal. Running npm install with a --production is a great start, however it gets even safer to run npm ci that ensures a fresh install and the existence of a lock file. Removing the local cache can shave additional tens of MB. Often there is a need to test or debug within a container using devDependencies - In that case, multi stage builds can help in having different sets of dependencies and finally only those for production.



Code Example – Installing for production

Dockerfile
FROM node:12-slim AS build

WORKDIR /usr/src/app
COPY package.json package-lock.json ./
RUN npm ci --production && npm cache clean --force

# The rest comes here



Code Example – Installing for production with multi-stage build

Dockerfile
FROM node:14.8.0-alpine AS build

COPY --chown=node:node package.json package-lock.json ./
# ✅ Safe install
RUN npm ci
COPY --chown=node:node src ./src
RUN npm run build


# Run-time stage
FROM node:14.8.0-alpine

COPY --chown=node:node --from=build package.json package-lock.json ./
COPY --chown=node:node --from=build node_modules ./node_modules
COPY --chown=node:node --from=build dist ./dist

# ✅ Clean dev packages
RUN npm prune --production

CMD [ "node", "dist/app.js" ]



Code Example Anti-Pattern – Installing all dependencies in a single stage dockerfile

Dockerfile
FROM node:12-slim AS build

WORKDIR /usr/src/app
COPY package.json package-lock.json ./
# Two mistakes below: Installing dev dependencies, not deleting the cache after npm install
RUN npm install

# The rest comes here



Blog Quote: "npm ci is also more strict than a regular install"

From npm documentation

This command is similar to npm-install, except it’s meant to be used in automated environments such as test platforms, continuous integration, and deployment – or any situation where you want to make sure you’re doing a clean install of your dependencies. It can be significantly faster than a regular npm install by skipping certain user-oriented features. It is also more strict than a regular install, which can help catch errors or inconsistencies caused by the incrementally-installed local environments of most npm users.