Multi-Stage Docker Builds

Multi-stage Docker builds use multiple FROM instructions in a single Dockerfile, each starting a new build stage that can selectively copy artifacts from previous stages. This pattern separates the build environment (which needs compilers, dev dependencies, and build tools) from the production runtime (which needs only the compiled application and production dependencies), resulting in dramatically smaller and more secure images.

A typical Node.js multi-stage build has three stages: a dependencies stage that installs all packages, a builder stage that compiles TypeScript, runs code generation, and prunes dev dependencies, and a production stage based on a minimal image (Alpine, distroless, or scratch) that copies only the built artifacts and production node_modules. This can reduce image sizes from 1GB+ to under 100MB, significantly improving pull times and reducing the attack surface.

BuildKit (Docker's modern build engine) enhances multi-stage builds with parallel stage execution (independent stages build concurrently), cache mounts (--mount=type=cache for package manager caches that persist between builds), secret mounts (--mount=type=secret for build-time secrets that don't persist in layers), and build arguments for conditional stage selection. Named stages (FROM node:20-alpine AS builder) improve readability and allow targeting specific stages with --target for development or testing purposes.