Build Cache & .dockerignore
Ordering for the Cache
Docker reuses cached layers until it hits the first instruction whose input changed - then everything after rebuilds. So order instructions from least to most frequently changing:
# ✅ deps cached until package.json changes - code edits rebuild in seconds
COPY package*.json ./
RUN npm ci
COPY . .
# ❌ any code edit invalidates the cache → full npm ci every build
COPY . .
RUN npm ci
.dockerignore - Small Images, Safe Images
COPY . . copies everything in the build context - including things that should never enter an image:
# .dockerignore
.git
node_modules
*.log
.env ← live secrets baked into a distributable image = breach
backup.tar
Danger: An image is not private storage. Anyone who can pull it can read every file in every layer - even files deleted in a later layer are still in the earlier one. A .env with production keys inside an image is a security incident, not a code smell.
Goal: The Slim the Image, Save the Secrets lab hands you exactly this incident: a 40MB-heavier image with live secrets inside. Fix it with .dockerignore.