Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only install non-dev packages on production #285

Open
1 task
rocketnova opened this issue Jul 6, 2021 · 0 comments
Open
1 task

Only install non-dev packages on production #285

rocketnova opened this issue Jul 6, 2021 · 0 comments
Labels
Engineering Technology and Development Track Size: L Type: Security Tickets that directly improve security
Milestone
Low Priority

Comments

@rocketnova
Copy link
Contributor

rocketnova commented Jul 6, 2021
edited by lomky
Loading

Description

Currently, we are installing all packages on production. We don't need to install dev packages on production. It introduces a small risk by increasing our production vulnerability surface.

Context:

  • yarn install --production breaks everything
  • yarn build expects more dependencies to exist than are currently in dependencies (such as typescript which is in devDependencies)
  • yarn build builds stories, but shouldn't. There's no --exclude option for next build

Possible solutions:

  • put all the core code into a src folder, and do next build <dir>

Acceptance Criteria

  • devDependencies are not installed for production releases
@rocketnova rocketnova self-assigned this Jul 6, 2021
@rocketnova rocketnova added the Engineering Technology and Development Track label Jul 6, 2021
@rocketnova rocketnova mentioned this issue Jul 6, 2021
Closed
@rocketnova rocketnova removed their assignment Jul 8, 2021
@rocketnova rocketnova assigned rocketnova and unassigned rocketnova Nov 30, 2021
@lomky lomky added Type: Developer Experience Tickets that improve the developer environment or development process Type: Security Tickets that directly improve security and removed Type: Developer Experience Tickets that improve the developer environment or development process labels Dec 21, 2021
@kalvinwang kalvinwang added Type: Robustness Tickets to improve the application, invisibly Type: Security Tickets that directly improve security and removed Type: Security Tickets that directly improve security Type: Robustness Tickets to improve the application, invisibly labels Dec 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Engineering Technology and Development Track Size: L Type: Security Tickets that directly improve security
Projects
None yet
Milestone
Low Priority
Development

Successfully merging a pull request may close this issue.

Azure pipelines should only install production dependencies cagov/ui-claim-tracker
4 participants
@rocketnova @kalvinwang @lomky @JessiBull