Skip to content
This repository has been archived by the owner on May 3, 2024. It is now read-only.

fix(server): remove npm and yarn from the production image #1382

Closed
wants to merge 1 commit into from
Closed

fix(server): remove npm and yarn from the production image #1382

wants to merge 1 commit into from

Conversation

PixnBits
Copy link
Contributor

@PixnBits PixnBits commented Apr 11, 2024
edited

Description

Remove npm, npx, yarn, corepack, and their node_modules directories from the production image artifact.

Upsides

  • shipping less to production

Why we should not do this

  • npm serve-module <module-path> will not work; not an issue in production but will be an issue for anyone using the production image with @americanexpress/one-app-runner
  • removing files adds to the image size: similar to a git diff, the difference is stored. this must have changed, measuring this on my machine with dive and docker history I see the layer size being 0 B

Motivation and Context

Ship as little as possible to production to minimize attack surface area (unlikely to contribute to an exploit, but computers are complex enough to make that risk not zero).

How Has This Been Tested?

PR checks

Types of Changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation (adding or updating documentation)
  • Dependency update
  • Security update

Checklist:

  • My change requires a change to the documentation and I have updated the documentation accordingly.
  • These changes should be applied to a maintenance branch.
  • This change requires cross browser checks.
  • Performance tests should be ran against the server prior to merging.
  • This change impacts caching for client browsers.
  • This change impacts HTTP headers.
  • This change adds additional environment variable requirements for One App users.
  • I have added the Apache 2.0 license header to any new files created.

What is the Impact to Developers Using One App?

serving modules with npm (as @americanexpress/one-app-runner does) would not work anymore (explained above)

@github-actions GitHub Actions
Copy link
Contributor

Size Change: 0 B

Total Size: 735 kB

ℹ️ View Unchanged
Filename Size
./build/app/app.js 187 kB
./build/app/app~vendors.js 411 kB
./build/app/runtime.js 7.07 kB
./build/app/service-worker-client.js 7.25 kB
./build/app/vendors.js 124 kB

compressed-size-action

@10xLaCroixDrinker
Copy link
Member

Is this a common practice?

@10xLaCroixDrinker 10xLaCroixDrinker deleted the fix/remove-npm-from-production-image branch May 3, 2024 20:02
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
fix one-app-team-review-requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@PixnBits @10xLaCroixDrinker