Thanks for the tutorial. One thing I do not understand is the following: What's the point of having the package.json (and package-lock.json) in /opt/? Instead of just having it in /opt/app/ like the rest.
So in very simple terms. It's because it minimized attack surface of a container.
Think of it in this scenario.
node_modules where your web browser / server is running it can be exploited. Meaning I can get access to the container and I can go up the chain.
If it's OUTSIDE, I get fewer exploits and have to go up further again.