Build Cache & .dockerignore

Ordering for the Cache

Docker reuses cached layers until it hits the first instruction whose input changed - then everything after rebuilds. So order instructions from least to most frequently changing:

# ✅ deps cached until package.json changes - code edits rebuild in seconds
COPY package*.json ./
RUN npm ci
COPY . .

# ❌ any code edit invalidates the cache → full npm ci every build
COPY . .
RUN npm ci

.dockerignore - Small Images, Safe Images

COPY . . copies everything in the build context - including things that should never enter an image:

# .dockerignore
.git
node_modules
*.log
.env          ← live secrets baked into a distributable image = breach
backup.tar
Danger: An image is not private storage. Anyone who can pull it can read every file in every layer - even files deleted in a later layer are still in the earlier one. A .env with production keys inside an image is a security incident, not a code smell.
Goal: The Slim the Image, Save the Secrets lab hands you exactly this incident: a 40MB-heavier image with live secrets inside. Fix it with .dockerignore.