Why this matters
Significantly reduces image size and attack surface by excluding compilers and dev dependencies from production.
Use a builder stage for toolchains/dev deps and a minimal runtime stage that contains only runtime artifacts.
Significantly reduces image size and attack surface by excluding compilers and dev dependencies from production.
Side-by-side examples engineers can pattern-match during review.
FROM node:20.11.1-alpine
WORKDIR /app
COPY . .
RUN npm ci && npm run build
CMD ["node","dist/index.js"] # dev deps & toolchain remainFROM node:20.11.1-alpine AS build
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
FROM gcr.io/distroless/nodejs20 AS runtime
WORKDIR /app
COPY --from=build /app/dist ./
COPY --from=build /app/package*.json ./
CMD ["index.js"]Single-stage image with devDependencies includedTwo-stage build: build -> minimal runtimeFrom the same buckets as this rule.