-1 on this I'm afraid. I agree with everything Carlos said - I think the maintance and security burden of rolling packages into the base layers outweights the ease of use concern for new users.
On Sat, 16 Feb 2019 at 14:13, Carlos Santana <[email protected]> wrote: > > With my vendor hat: > > This means anyone extending the base image in their Dockerfile need to > delete the node_modules directory first before they do npm install to > install the exact set of packages and their dependencies that they want. > They would this for various reasons for example they went over all the > dependency graph not just the top level and made sure there are no > legal/license problems, security CVEs, and maybe some packages for their > own purpose. > > This will increase the image size with a layer that never get use. > > The alternative is that the provider can have a Docker file that doesn’t > extend the openwhisk base image and instead extend the nodejs base image > and use the new from feature from Dockerfile to copy the 2 or 3 files out > of the base openwhisk image. > > Now with my Apache Hat: > You will need to blessed and do legal clearance of the npm packages and > all their dependencies to make sure their are compatible with Apache and > then maintain currency with the versions that for currency and also > security patches. > > I know that nodejs6 includes a bunch of npm packages but I was hoping to > delete nodejs:6 from the repo for this reason before graduation to avoid > any problems when going into graduation. > > PS: Anyone is welcome to use the image ibmfunctions/action-nodejs-v10 for > nodejs:10 in their runtimes.json is fully compatible with any openwhisk > deployment. This is the one I use locally in my Mac with docker-compose > deploy. > > - Carlos Santana > @csantanapr > > > On Feb 16, 2019, at 8:57 AM, Dominic Kim <[email protected]> wrote: > > > > +1 on this. > > > > > > Best regards > > Dominic > > > > > > 2019년 2월 16일 (토) 오전 10:53, Rodric Rabbah <[email protected]>님이 작성: > > > >> Hello, > >> > >> A few times in recent weeks and twice this past week there was > discussion > >> on slack about our nodejs8 and nodejs10 images and the lack of packages > in > >> these images. As we move to deprecate nodejs6 with its coming end of > life, > >> this is worth re-considering: should we include some popular images in > the > >> base image? > >> > >> We had previously eschewed packages because the thought was providers > roll > >> their own. But I'm finding that our nodejs6 runtime more convenient for > >> some development because of its built-in packages. > >> > >> So I opened a draft PR (new on GitHub!) to add some packages to our > images > >> here: > >> https://github.com/apache/incubator-openwhisk-runtime-nodejs/pull/111 > >> > >> Feedback welcome and especially appreciated if you aren't a provider > that > >> runs their own images. > >> > >> -r > >> > -- Regards, James Thomas
