How to deal with drupal's additional security recommendation related to composer install --no-dev on production

Thanks, for asking

Baisc rule, No run for composer on production. ( Better logic and better secured workflow )
You man do that at your local, the deve, or the staging/testing host.
But not directily on the production site.
- The composer build may faile at anypoint, and you will end up with the production site as down
- It may take 1 to 10 minues on the build, update, and changing.

For sure:

• Do not run composer install or composer update on production hosting ( do that at your local development only ) and deploy your code.
• If you need drush at production, you can move it from require-dev to require ( do that at your local development ) and deploy to production.
• No need for drupal/core-dev on production

Have a look at the following logic ( Good to learn the workflow from that )
Recommended to use Lando at your local and Platform.sh for development and staging
Installing Varbase with Lando
Deploy Varbase on Platform.sh
Varbase in Platformsh - Select The Varbase Template as The Project Type

Design your development workflow to manage environments

• dev
• test
• staging
• prod

Each one has its logic

hi
thanks for replying
i am alrady using the configuration you describe.

- on local i did everything with Lando (composer install, export config etc)
- and when everything is ok i pushed to Gitlab with a configured CI/CD that deploy per branch after some test tasks and merges requests on each of them (BchDev=>to Dev, Bchstg=>to Stg and BchMain=>to Prod)

However i haven't see any clear simple and easy way to deploy to PROD than the composer method with gitlab by first taking the site to maintenance mode.

Did have any suggestion ? is it what could be in Deploy Varbase on Platform.sh ? if yes please check the link because it's not clickable .

i have already noticed

The composer build may faile at anypoint, and you will end up with the production site as down

which is why i requested for a support

Thanks

Deploy Varbase on Platform.sh

At production you can use FTP or Git, or other methods.
Using git pull for a tagged version on the produciton is the better logic
remove any bash or composer update on production.
Before creating the MYSITE-1.0.3 tag for exmaple do the build you need for the production site.

I suggest that we propose to change the Drupal documentation in
What's more? # Additional security →

from

On the production site always use composer install --no-dev, so that unnecessary

to

Before deploying to the production site always use composer install --no-dev, so that unnecessary

hi
thanks for replying
i agreed with your suggestion.
By the way i that will be if people follow a workflow that exclude using composer on prod environment which (for most blog's i had read) is not usually the case as you can also see in that documentation.

So in addition to your suggestion does it make sense to suggest :

Before deploying to the production site always use <strong>in your test or preprod environment</strong> composer install --no-dev, so that unnecessary

Thanks