--no-dev.
Description
Flagscomposer install in production-like stages when dev dependencies are still included.
Shipping require-dev packages in a production image increases the dependency graph, image size, and attack surface. The rule accepts either:
composer install --no-devENV COMPOSER_NO_DEV=1earlier in the same stage
dev, development, test, testing, ci, or debug are skipped.
Examples
Before
After
Stage-level env equivalent
Why this rule is a suggestion fix
The edit is narrow, but it changes which dependencies are installed. That is the right default for production images, but it is still a behavior change, so the fix is classified asFixSuggestion.