Skip to main content
Production Composer install commands should include --no-dev.

Description

Flags composer install in production-like stages when dev dependencies are still included. Shipping require-dev packages in a production image increases the dependency graph, image size, and attack surface. The rule accepts either:
  • composer install --no-dev
  • ENV COMPOSER_NO_DEV=1 earlier in the same stage
Stages explicitly named dev, development, test, testing, ci, or debug are skipped.

Examples

Before

After

Stage-level env equivalent

Why this rule is a suggestion fix

The edit is narrow, but it changes which dependencies are installed. That is the right default for production images, but it is still a behavior change, so the fix is classified as FixSuggestion.

References