FS-4978: dont use nodemon in production

sfount · sfount · commit 72eece37090c · 2025-01-24T15:37:59.000Z
nodemon is designed to be run locally to watch for file changes and
restart the running process. This behaviour could lead to unpredictable
behaviour when running and has security implications for exucting
modified code.

The `NODE_ENV` is often used by servers and dependencies to gate
behaviour that would only be acceptable in a development environment.
I've not audited what would depend on that in this instance but we don't
want to leave room for vulnerabilities through defauling to open
(development).

Note that this continues the practice of including the NODE_ENV in the
package json. This is to aim for this fix to be as least disruptive as
possible but I don't encourage this.

Ideally the script will just take care of starting the server and the
context it is running in should be responsible for appropriately
configuring the environment.
diff --git a/designer/package.json b/designer/package.json
@@ -5,9 +5,10 @@
   "scripts": {
     "watch": "NODE_ENV=development webpack",
     "dev": "NODE_OPTIONS=--openssl-legacy-provider && concurrently 'yarn watch' 'yarn start:local'",
-    "production": "yarn start:prod",
+    "production": "NODE_ENV=production yarn start:server",
+    "start:test": "NODE_ENV=test yarn start:server",
     "build": "NODE_ENV=production && NODE_OPTIONS=--openssl-legacy-provider && webpack",
-    "start:prod": "NODE_ENV=production nodemon dist/server.js",
+    "start:server": "node dist/server.js",
     "start:local": "NODE_ENV=development PERSISTENT_BACKEND=preview ts-node-dev --inspect --respawn --transpile-only server/index.ts"
   },
   "author": "Communities UK",
diff --git a/docker-compose.e2e.yml b/docker-compose.e2e.yml
@@ -13,7 +13,7 @@ services:
       - LAST_COMMIT
       - LAST_TAG
       - AUTH_ENABLED=false
-    command: yarn designer production
+    command: yarn designer start:test
     depends_on:
       - runner
       - localstack
@@ -44,7 +44,7 @@ services:
       - SINGLE_REDIS=true
       - FORM_RUNNER_ADAPTER_REDIS_INSTANCE_URI=redis://redis-data:6379
       - PREVIEW_MODE=true
-    command: yarn runner production
+    command: yarn runner start:test
     logging:
       driver: "json-file"
     depends_on:
diff --git a/runner/package.json b/runner/package.json
@@ -12,7 +12,9 @@
     "copy-forms": "node copy-form-json.js",
     "clean:build": "rm -rf dist",
     "dev": "NODE_ENV=development nodemon --watch src --ext js,json,ts,html,scss --exec 'yarn build && node dist/digital-form-builder-adapter/runner/index.js'",
-    "production": "NODE_ENV=development nodemon dist/digital-form-builder-adapter/runner/index.js",
+    "start:server": "nodemon dist/digital-form-builder-adapter/runner/index.js",
+    "production": "NODE_ENV=production npm run start:server",
+    "start:test": "NODE_ENV=development npm run start:server",
     "test-cov": "yarn run unit-test-cov",
     "test:dev": "lab -T test/.transform.js -P (test|src)/**/*.test.* -v test --coverage-exclude",
     "unit-test": "lab -T test/.transform.js -P (test|src)/**/*.test.* -v test -S -v -r console -o stdout -r html -o unit-test.html -I version -l",
