search

goldbergyoni / nodebestpractices

:white_check_mark: The Node.js best practices list (July 2024)
https://twitter.com/nodepractices/
Creative Commons Attribution Share Alike 4.0 International
97.41k stars 9.89k forks source link

Is using cache for npm install in docker safe? #1297

Open Motii1 opened 3 months ago

Motii1 commented 3 months ago

I was wondering about the point 8.1 Use multi-stage builds for leaner and more secure Docker images and the example stated there:

FROM node:14.4.0 AS build

COPY . .
RUN npm ci && npm run build

FROM node:slim-14.4.0

USER node
EXPOSE 8080

COPY --from=build /home/node/app/dist /home/node/app/package.json /home/node/app/package-lock.json ./
RUN npm ci --production

CMD [ "node", "dist/app.js" ]

My idea here for speed up this build by using the cache:

FROM node:14.4.0 AS build

COPY . .
RUN npm ci --cache .npm --prefer-offline && npm run build

FROM node:slim-14.4.0

USER node
EXPOSE 8080

COPY --from=build /home/node/app/.npm ./.npm
COPY --from=build /home/node/app/dist /home/node/app/package.json /home/node/app/package-lock.json ./
RUN npm ci --production --cache .npm --prefer-offline

CMD [ "node", "dist/app.js" ]

But the only consideration that I have is Is it safe?