-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement 'shrinkwrap' feature #505
Comments
I want us to do this right, meaning checksum checking for everything to ensure validity. Npm doesn't currently implement this, but are planning to. |
👍 This would be a really great feature. |
Must say 👍 in comparison to the npm and composer install I run bower is super slow. And is a real pain. |
👍 for sure it will be an excellent feature! I'm not completely sure how npm works on this, but the way Composer does totally fits my needs. [OFF-TOPIC] |
+1. However, I think there's a simple workaround for now. Since Bower's dependency tree is flat, you can just specify exact versions of projects in your bower.json. E.g., specify Bootstrap "2.3.2" instead of "~2.3.2" or "2.3.x" or whatever you do. Then (Of course, the flat dependency tree leeds to version conflict problems, not sure what the long-term solution to that is.) |
It's not quite a solution, because your immediate dependencies will have non-fixed version numbers for their dependencies. So even if you lock the versions down, every time |
Ah, good point. I guess you would have to take all the dependencies (recursively all the way down the tree) and explicitly include them at the top level. |
👍 |
I'm joining a little late this discussion, but I'd like to suggest a way to implement this. I think this could be done the way Bundle does with Gemfile and Gemfile.lock. We could specifiy dependencies in bower.json, install them with bower.json example: {
"name": "my-component",
"version": "0.1.0",
"ignore": [
"**/.*",
"node_modules",
"components",
"bower_components",
"test",
"tests"
],
"dependencies": {
"jquery": "~1.9.0",
"bootstrap": "~2.3.0",
"underscore": "~1.4.0"
}
} bower.lock example: {
"dependencies": {
"jquery": "#28d946384799abcd7608c3beda898a0a11ac88d7",
"bootstrap": "#d9b502dfb876c40b0735008bac18049c7ee7b6d2",
"underscore": "#484bdb43ec4a9dd6a40e60a2d25317bec7aeb43f"
}
} Doing so we could deploy exactly the same version of the components we have installed in our development environment without the need of including them in the VC. This could not be a problem for some people, but many components, like jquery-mobile (16 MB), jquery-ui (4.9 MB) or bootstrap (5.1 MB) are including the whole repo as the component (ignoring the ignore option to exclude documentation, tests, binary files, etc.) and making your repo needlessly big. I think this could be an easy to implement option and that it should be taken into account. I also expect to take some time to implement this and submit a pull request. Meanwhile I'll be watching this thread waiting for your suggestions. Thanks. |
Would it be better that a final version instead of the commit in the lock file? Meaning that |
@mikaelkaron as long as we implement checksums, I think it's better to use the version instead of the commit. It's also faster for github endpoints to download versions, instead of checking out commits. |
This would be great to make sure development and production versions are identical! The activity in this discussion suggest that such a feature is not being worked on at the moment. What can be done to make sure steps are made in the right direction? |
👍 |
Kick off an implementation design and some code for the feature :) |
one issue i see with npm's shrinkwrap over bundlers lockfile, is that the shrinkwrap is not maintained and used to re-validated in all scenarios. This makes it annoying to maintain, and error-prone. I would strongly suggest modeling this around how Gemfile.lock workflow. |
Or |
+1 for the Bundler-like approach with Is it currently possible to programmatically check (e.g. when running |
👍 |
+1 for some type of |
+1, please implement it, currently we are forced to put all the bower components into version control to ensure nothing will change on deployment. |
+1 this is crucial for deployment |
👍 it's a death or life question |
👍 |
1 similar comment
👍 |
This would be like cherries after a lovely sunset. |
If we want to have it in the bower we need to decide how it should behave because here is a problem: bower allows to specify package as direct url and there is no way to lock version of package installed this way. Possible solutions:
Personally I'm prefer 2) but we can start with 3). What do you think guys? I'm really interested in this feature. |
Note that 5) is not incompatible with 3) |
@greg0ire this is bad because it can happen on production server and updated file can contain errors or changed API. |
+1 for lockfile |
+1 for resolution key in bower.json |
since it seems like this feature is taking a long time in the making, maybe an intermediate step would be a script living entirely outside of bower? just take a |
@lsmith77 its possible to add custom resolver #1649 and http://bower.io/docs/pluggable-resolvers/ |
see #1748 |
👍 for lockfile |
👍 for lock file |
is #1748 ready for merge? |
Switched to an npm / webpack setup and haven't looked back. Still working on migrating off bower, because bower is lacking good support for code modularity and dependency locking. I will say that I still like the bower logo though! |
+1 for this, come on guys I can't take bower seriously until it has a way of locking down dependency versions, how can you develop with peace of mind without this??? |
+1 for lockfile |
+1 for lockfile ) |
Why have a separate lock file when the dependencies can be pinned in bower.json? |
@avdd: Like mentioned a couple of times before, you can only pin direct dependencies in bower.json. Indirect/transitive dependencies will always be pulled at their latest compatible version. So pinning in composer.json doesn't cut it. |
@derrabus I'm not sure what you mean. Because bower installations are flat and not nested like node, indirect deps become direct deps. If my app uses Foo which requires Bar, I pin versions of both Foo and Bar in my bower.json, which I believe is the point of the feature under discussion? |
@avdd Of course, you can pin the complete dependency graph in your bower.json. But the whole point of a dependency management tool is that you only define your direct dependencies and that it resolves all indirect dependencies for you. What you're describing is a valid workaround, but it's not the solution to the problem. |
@greg0ire bower packages are all installed into one bower_components directory at one level, i.e. flat. @derrabus it's not a workaround at all. Indirect dependencies are still very much dependencies that should be pinned for repeatable deployments. The dependency graph as such is only a temporary structure used for installing or updating packages. Why bother keeping it? (I assume we can only be talking about top-level projects and not redistributable packages, which clearly have no use for a shrinkwrap feature.) |
That's the point of the lock file. On the other hand, when you want to upgrade your top-level dependencies, you don't want to have to find yourself the right version of the indirect deps. That's bower's job, and that's why they should not be kept. Plus if the dependencies have many dependencies that also have dependencies, things could get cumbersome really quickly. |
+1 for lockfile |
Curious to know if anyone is working on this or what the status is? |
+1 |
+1 for lockfile |
+1 |
1 similar comment
+1 |
Please don't +1 this. We need someone skilled to declare to work at least 1-2 weeks on this feature and then maintain it for some time, so I can be sure it is solid and stable enough to release. We need to:
If someone feels competent enough and is interested in this "gig" (JFrog is eager to pay for time spent on this feature), please post a motivational letter and your availability on my e-mail: sheerun@sher.pl (e-mail me as well if you just want to volunteer without any liabilities) |
As Bower is not developed anymore, I'm going to close this issue. There are different solutions available right now, specifically npm has package-lock.json and yarn has yarn.lock. On top of this you can convert your current Bower project to yarn with https://github.com/sheerun/bower-away It's shame this feature never had production-ready implementation, but oh well, time to move on. |
Bower could do with something like npm's shrinkwrap feature to lock down specific versions for deploys.
https://npmjs.org/doc/shrinkwrap.html
This would probably be simpler than what npm has to do, as we'd just need to create a config file to represent the currently installed versions.
Related #416
The text was updated successfully, but these errors were encountered: