A three-stage Dockerfile — build-env to compile TypeScript, deps-env to install only npm ci --omit=dev, and a final gcr.io/distroless/nodejs20-debian11 that pulls just the compiled build/ and production node_modules — gets you a Node image with no shell, no package manager, and an attack surface that's basically your code plus the runtime.
The full post walks through the Dockerfile line by line, including the gotcha that distroless CMD can only invoke node (so you point it at your build folder and let index.js boot), and shows the resulting image size pushed to ECR.
Originally published at andreasbergstrom.dev — read the full post there.
Top comments (0)