Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove bower_components from data app #82

Open
paterczm opened this issue Apr 1, 2015 · 7 comments
Open

Remove bower_components from data app #82

paterczm opened this issue Apr 1, 2015 · 7 comments
Labels
data-app enhancement

Comments

@paterczm
Copy link
Contributor

paterczm commented Apr 1, 2015

We already discussed what to do with 3rd party javascript code, though I don't remember if we reached a conclusion. I propose to remove it from git and configure exec-maven-plugin to run bower install in generate-sources phase. Example: https://github.com/paterczm/lightblue-applications/blob/angularjs/metadata-mgmt/pom.xml
@paterczm
Copy link
Contributor Author

paterczm commented Apr 1, 2015

@alechenninger ^

@jewzaam
Copy link
Member

jewzaam commented Apr 1, 2015

How does this work, is there a specific version of bower that would be installed? Or is it a "latest state"? If latest, what are the security implications?

----- Original Message -----

@alechenninger ^

Reply to this email directly or view it on GitHub:
#82 (comment)

@alechenninger
Copy link
Contributor

The issue is that there is not concept of a lockfile or shrink wrapped dependencies with bower. There is an open issue for this with tons of subscribers but no one is really working on it unfortunately.

Without that, you can't guarantee every build will use the same versions of dependencies, which may have unintended side effects.

Consider even if you dont use semver version ranges, those dependencies still might declare their dependencies using semver ranges, and then each build will potentially pull in different transitive dependencies.

Not sure if its likely enough to cause an issue, but this is why I checked things into source control to keep dependencies rock solid.

Npm has a "shrinkwrap" feature to deal with this. Dart uses a pubspec.lock file... Etc. Just doesn't seem like there is a frontend js version of this yet that I am aware of at least (last time I really looked was a month or two ago, other than following the bower issue).

@paterczm
Copy link
Contributor Author

paterczm commented Apr 1, 2015

I see what you mean. You can't control the version of implicit dependencies with bower. If we used npm with shrinkwrap instead, would that solve the problem?

@alechenninger
Copy link
Contributor

Yes that would -- not sure if that is possible to do with frontend dependencies? If so, I'd be all for it! npm is much more mature anyway than bower, and we already have to use npm for running the unit tests anyway.

@paterczm
Copy link
Contributor Author

paterczm commented Apr 1, 2015

Ok, I'll try it out once I get back to metadata app.

@alechenninger
Copy link
Contributor

Looks like this is finally coming to bower: bower/bower#1748

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
data-app enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jewzaam @alechenninger @paterczm