To get closer to prod sec and legal requirements, we should move from get-sources.sh -> asset*.gz file for the node dependencies, and instead use cachito w/ container.yaml configuration to fetch sources, then build the sources inside a Docker context, letting cachito find the dependencies in yarn.lock / package.json.

• https://github.com/redhat-developer/devspaces-images/blob/devspaces-3-rhel-8/devspaces-dashboard/get-sources.sh
• https://github.com/redhat-developer/devspaces-images/blob/devspaces-3-rhel-8/devspaces-dashboard/sources
• https://github.com/redhat-developer/devspaces-images/blob/devspaces-3-rhel-8/devspaces-dashboard/container.yaml

Once the remote_source map described above is set in container.yaml, you can now copy the upstream sources (with bundled dependencies) provided by cachito in your build image by adding:

COPY $REMOTE_SOURCE $REMOTE_SOURCE_DIR
to your Dockerfile. From this point on, you will find the root of the upstream project at $REMOTE_SOURCE_DIR/app, and the project dependencies at $REMOTE_SOURCE_DIR/deps.