Lesson 02

Base images and tag pinning

Choose a narrow base image and pin versions deliberately so rebuilds do not change underneath you without review.

base image
tags
supply chain

Good Code

Dockerfile

FROM node:22.11.0-alpine3.20 AS runtime

WORKDIR /app
ENV NODE_ENV=production

COPY package.json package-lock.json ./
RUN npm ci --omit=dev

COPY server.js ./server.js
CMD ["node", "server.js"]

Bad Code

Dockerfile

FROM node:latest

WORKDIR /app
COPY . .
RUN npm install

CMD ["node", "server.js"]

Review Notes

What to review

Good Code

The good version uses a specific runtime base and keeps production dependency installation explicit.

Bad Code

The bad version depends on latest, so rebuilding the same commit can silently pull a different Node version and operating system packages.

Takeaways

A base image is a dependency; review it with the same care as package versions.