search

lightblue-platform / lightblue-applications

GNU General Public License v3.0
5 stars 8 forks source link

Remove bower_components from data app #82

Open paterczm opened 9 years ago

paterczm commented 9 years ago

We already discussed what to do with 3rd party javascript code, though I don't remember if we reached a conclusion. I propose to remove it from git and configure exec-maven-plugin to run bower install in generate-sources phase. Example: https://github.com/paterczm/lightblue-applications/blob/angularjs/metadata-mgmt/pom.xml

paterczm commented 9 years ago

@alechenninger ^

jewzaam commented 9 years ago

How does this work, is there a specific version of bower that would be installed? Or is it a "latest state"? If latest, what are the security implications?

----- Original Message -----

@alechenninger ^

Reply to this email directly or view it on GitHub: https://github.com/lightblue-platform/lightblue-applications/issues/82#issuecomment-88490940

alechenninger commented 9 years ago

The issue is that there is not concept of a lockfile or shrink wrapped dependencies with bower. There is an open issue for this with tons of subscribers but no one is really working on it unfortunately.

Without that, you can't guarantee every build will use the same versions of dependencies, which may have unintended side effects.

Consider even if you dont use semver version ranges, those dependencies still might declare their dependencies using semver ranges, and then each build will potentially pull in different transitive dependencies.

Not sure if its likely enough to cause an issue, but this is why I checked things into source control to keep dependencies rock solid.

Npm has a "shrinkwrap" feature to deal with this. Dart uses a pubspec.lock file... Etc. Just doesn't seem like there is a frontend js version of this yet that I am aware of at least (last time I really looked was a month or two ago, other than following the bower issue).

paterczm commented 9 years ago

I see what you mean. You can't control the version of implicit dependencies with bower. If we used npm with shrinkwrap instead, would that solve the problem?

alechenninger commented 9 years ago

Yes that would -- not sure if that is possible to do with frontend dependencies? If so, I'd be all for it! npm is much more mature anyway than bower, and we already have to use npm for running the unit tests anyway.

paterczm commented 9 years ago

Ok, I'll try it out once I get back to metadata app.

alechenninger commented 9 years ago

Looks like this is finally coming to bower: https://github.com/bower/bower/pull/1748