Replace npm prune with npm ci --omit=dev for consistency

[yamadashy]

Summary

This change replaces npm prune --omit=dev with npm ci --omit=dev in both the Dockerfile and CI workflow. This provides a more consistent and reliable approach to installing only production dependencies.

Changes

• Dockerfile: Replaced npm prune --omit=dev with npm ci --omit=dev in the build layer, and reordered it to run before npm link for better layer efficiency
• CI Workflow: Updated the production dependency installation step to use npm ci --omit=dev instead of npm prune --omit=dev
• Comment: Updated Dockerfile comment to reflect that all steps (not just npm ci and npm link) are executed in the same RUN command

Rationale

npm ci --omit=dev is more explicit and reliable than npm prune --omit=dev for ensuring only production dependencies are present. It performs a clean install based on the lockfile, which is more predictable than pruning after installation.

Checklist

• Run npm run test
• Run npm run lint

https://claude.ai/code/session_01WorTDgSv8c9jvVpa1YsSeo

---

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 418d4e57-0e7e-418c-892e-bdcfb779db56

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The PR updates the dependency installation strategy in the CI/CD workflow and Docker build process, replacing npm prune --omit=dev with npm ci --omit=dev to directly install production dependencies instead of pruning them after full installation.

Changes

Cohort / File(s)	Summary
CI/CD and Build Configuration .github/workflows/ci.yml, Dockerfile	Replaced npm prune --omit=dev with npm ci --omit=dev for production dependency installation. In Dockerfile, the command is also repositioned after build step to install dependencies fresh prior to linking.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• Add production dependencies check to prevent dev dependencies leaks #187: Implements the same npm ci --omit=dev pattern to ensure only production dependencies are installed during builds.
• Add support for Docker #222: Modifies the same Docker build steps and dependency installation sequence that this PR targets.
• refactor(config): Replace prepare with prepack lifecycle script #1215: Addresses npm install/CI Docker failures related to lifecycle scripts running without devDependencies available.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: replacing npm prune with npm ci --omit=dev across files for consistency.
Description check	✅ Passed	The description provides comprehensive context including summary, detailed changes, rationale, and follows the required checklist template structure.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch claude/remove-omit-dev-flag-wALuV

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Code Review

Overall: Approve - This is a clean, well-motivated change.

Summary

Replacing npm prune --omit=dev with npm ci --omit=dev is a sound improvement. npm ci --omit=dev performs a clean install from the lockfile with only production dependencies, which is more deterministic than npm prune which mutates an existing node_modules in-place.

The commit message correctly notes that this is now safe because prepare was previously replaced with prepack (which only triggers on npm pack/npm publish, not npm ci), so the second npm ci --omit=dev won't inadvertently trigger a build that requires devDependencies.

Dockerfile

The reordering of npm ci --omit=dev before npm link is correct and cleaner:

npm ci              # install all deps (including dev)
npm run build       # build with devDeps available
npm ci --omit=dev   # clean reinstall with only prod deps
npm link            # symlink to global after final node_modules state
npm cache clean     # cleanup

Previously, npm link ran before npm prune, which meant npm prune was mutating node_modules after the link was established. The new ordering ensures npm link operates on the final, clean production node_modules.

The updated comment ("all steps" instead of "npm ci and npm link") is accurate.

CI Workflow

The CI change is straightforward - same substitution. Since npm ci --omit=dev wipes and reinstalls cleanly, it's a stricter validation that the package works with production dependencies only.

Considerations

Details

Performance: npm ci --omit=dev is slightly slower than npm prune --omit=dev since it does a full reinstall rather than just removing packages. In the Dockerfile this is negligible (single layer, one-time build). In CI it adds a small overhead per matrix run, but the reliability tradeoff is worthwhile.

Docker layer size: Both npm ci calls happen within the same RUN command, so only the final filesystem state is committed to the layer. No size regression.

Potential failure scenario: If prepack were ever changed back to prepare, npm ci --omit=dev would trigger the build script, which would fail because TypeScript and other build tools are devDependencies and wouldn't be installed. This is a hypothetical concern only - the current prepack setup is correct and the commit message documents this dependency clearly.

Verdict

No issues found. The change is correct, well-scoped, and the rationale is clearly documented in both the PR description and commit message.

---

Reviewed by Claude

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.14%. Comparing base (8ed0095) to head (007a886).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1218   +/-   ##
=======================================
  Coverage   87.14%   87.14%           
=======================================
  Files         115      115           
  Lines        4310     4310           
  Branches      998      998           
=======================================
  Hits         3756     3756           
  Misses        554      554           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.

[cloudflare-workers-and-pages]

Deploying repomix with    Cloudflare Pages

Latest commit:	007a886
Status:	✅  Deploy successful!
Preview URL:	https://d60ea11a.repomix.pages.dev
Branch Preview URL:	https://claude-remove-omit-dev-flag.repomix.pages.dev

View logs

[claude]

Code Review (Follow-up)

Overall: Approve - Clean, well-scoped change. Agreeing with the previous review's conclusion.

Correction to Previous Review

The previous Claude review described the Dockerfile step order as npm ci → build → npm ci --omit=dev → npm link → cache clean, but the actual order (after the second commit restored it) is:

npm ci              # install all deps (including dev)
npm run build       # build with devDeps available
npm link            # symlink to global
npm ci --omit=dev   # clean reinstall with only prod deps
npm cache clean     # cleanup

This order is correct. npm link (without arguments) creates a global symlink pointing to the /repomix directory (e.g., /usr/local/lib/node_modules/repomix → /repomix), not into node_modules. So the subsequent npm ci --omit=dev wiping and recreating node_modules does not break the symlink or the global bin entry.

Key Behavioral Difference from npm prune

Worth noting explicitly: npm ci --omit=dev is a destructive reinstall while npm prune --omit=dev was an in-place removal. This is actually better for Docker builds because:

• It produces a cleaner, more deterministic node_modules (no leftover artifacts)
• It validates that the lockfile is consistent with package.json (since npm ci enforces lockfile integrity)

Premortem: Failure Scenarios

Scenario	Risk	Mitigation
prepack changed back to prepare	npm ci --omit=dev would trigger a build without devDeps, causing failure	Commit message documents this dependency; CI would catch it immediately
Lockfile drift	npm ci fails if package-lock.json doesn't match package.json	This is a feature, not a bug — surfaces issues earlier than npm prune
npm link after npm ci --omit=dev (order accidentally swapped)	Would still work, but npm link might warn about missing devDeps in node_modules	Current order (link first) avoids this; second commit specifically preserved this

Verdict

No issues found. The change is correct and well-documented across both commits.

---

Reviewed by Claude

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the Docker build process by standardizing the method for installing production dependencies. By switching from npm prune to npm ci --omit=dev, the change aims to improve the reliability and predictability of dependency installations, ensuring that only necessary packages are included in the final image. This adjustment contributes to a more robust and efficient build pipeline.

Highlights

• Dependency Management: Replaced npm prune --omit=dev with npm ci --omit=dev in the Dockerfile to ensure more consistent and reliable installation of only production dependencies.
• Dockerfile Comment Update: Updated a comment in the Dockerfile to accurately reflect that all steps within the RUN command contribute to reducing the layer size, not just npm ci and npm link.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• Dockerfile
  • Replaced npm prune --omit=dev with npm ci --omit=dev for production dependency installation.
  • Updated a comment to accurately describe the Docker layer optimization strategy.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/ci.yml

Activity

• No specific review comments or activity recorded yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request replaces npm prune with npm ci for removing development dependencies in the Docker build, aiming for improved reliability. While the change is functionally correct, it introduces a significant inefficiency by running npm ci twice. My review includes a suggestion to refactor the Dockerfile to use a multi-stage build, which is a more efficient and standard practice for this scenario, resulting in faster builds and a smaller final image.

[gemini-code-assist]

While using npm ci --omit=dev is a valid way to remove development dependencies, running npm ci twice in the same RUN command is inefficient. The first npm ci installs all dependencies (including dev), and the second one removes the node_modules directory entirely before reinstalling only the production dependencies. This means you're downloading and installing dev dependencies only to throw them away immediately after the build step.

A more efficient and idiomatic approach in Docker is to use a multi-stage build. This would allow you to build the application with dev dependencies in a 'builder' stage, and then copy only the necessary production artifacts to a clean final stage, where you would run npm ci --omit=dev only once.

This would result in a faster build process and a smaller final image. Here's an example of how it could look:

# --- Builder Stage ---
FROM node:22-slim AS builder
WORKDIR /repomix

# Install all dependencies
COPY package.json package-lock.json ./
RUN npm ci

# Copy the rest of the source and build
COPY . .
RUN npm run build

# --- Final Stage ---
FROM node:22-slim

RUN apt-get update && apt-get install -y --no-install-recommends \
    git \
    ca-certificates \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /repomix

# Copy only necessary artifacts from builder stage
COPY --from=builder /repomix/package.json /repomix/package-lock.json ./
COPY --from=builder /repomix/lib ./lib
COPY --from=builder /repomix/bin ./bin
COPY --from=builder /repomix/README.md ./
COPY --from=builder /repomix/LICENSE ./

# Install only production dependencies and link
RUN npm ci --omit=dev \
    && npm link \
    && npm cache clean --force

WORKDIR /app

# ... rest of your Dockerfile
RUN repomix --version
RUN repomix --help

ENTRYPOINT ["repomix"]

While this is a larger change, it's a significant improvement for the Dockerfile's efficiency and maintainability, aligning with Docker best practices.