Fixes broken Docker image build

The `npm audit fix` in the `Dockerfile` is currently deleting vulnerable packages. Although we do want to have package security, this should be done in a development process, not as part of the Docker build. This commit also reduces the Docker image size and improves security.
nightscout · Dec 6, 2021 · 5e0e592 · 5e0e592
1 parent 1477c79
commit 5e0e592
Showing 1 changed file with 11 additions and 6 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -2,17 +2,22 @@ FROM node:14.15.3-alpine
 
 LABEL maintainer="Nightscout Contributors"
 
-RUN mkdir -p /opt/app
-ADD . /opt/app
 WORKDIR /opt/app
-RUN chown -R node:node /opt/app
-USER node
+ADD . /opt/app
 
-RUN npm install && \
+# TODO: We should be able to do `RUN npm install --only=production`.
+# For this to work, we need to copy only package.json and things needed for `npm`'s to succeed.
+# TODO: Do we need to re-add `npm audit fix`? Or should that be part of a development process/stage?
+RUN npm install --cache /tmp/empty-cache && \
   npm run postinstall && \
   npm run env && \
-  npm audit fix
+  rm -rf /tmp/*
+  # TODO: These should be added in the future to correctly cache express-minify content to disk
+  # Currently, doing this breaks the browser cache.
+  # mkdir /tmp/public && \
+  # chown node:node /tmp/public
 
+USER node
 EXPOSE 1337
 
 CMD ["node", "lib/server/server.js"]