LockFile Feature

[kodypeterson]

Based on #1592

---

• bower.lock doesn't exist:
  • bower install creates bower.lock file only after all-successful non-production installation
  • bower install --production complains there's no bower.lock and exits
  • bower update acts as bower install
• bower.lock exists dependenies in bower.json match those on bower.lock
  • bower install installs exact packages from bower.lock
  • bower install --production installs exact packages from bower.lock ignoring devDependencies
  • bower update is no-op
  • if installation would change bower.lock, it fails with error message
• bower.lock exists and there are only extra dependencies in bower.json relative to bower.lock
  • bower install tries to install bower.lock with only new packages from bower.json added. Installation fails if old bower.lock is not a subset of new bower.lock.
  • bower install --production fails
  • bower update --all re-creates bower.lock
• bower.lock` exists and dependencies in bower.json changed relative to bower.lock
  • bower install fails, and says you need to bower update first
  • bower install --production fails
  • bower update complains there's no package specified to update
  • bower update --all re-creates bower.lock
  • bower update tries to install bower.lock with version replaced with version from bower.json. Installation fails if old bower.lock is not a subset of new bower.lock (except updated package).

[kodypeterson]

@sheerun - So, when running bower update and nothing has yet to be installed, should a lock file be required as at that point it really acts like bower install?

[kodypeterson]

@sheerun bump for the question above... 😄

[sheerun]

@kodypeterson Sorry for the delay. Yes, indeed it should do the same as bower install :)

[kodypeterson]

@sheerun any thoughts on the lock file being .bower.lock instead of bower.lock?

Just wondering if we really want to make it a non-dot file...

[kodypeterson]

Also, I noticed that most of the update tests are invalid as they call tempDir.prepare({JSON}) after the install. Which .prepare will remove all of the contents in the directory.

So, when update runs, it is running against an empty directory with no dependencies installed, so it just acts like bower install 😦

[kodypeterson]

How should bower link be handled, it in turn calls bower update? Should it follow the same rules as bower update?

[sheerun]

bower link is totally separate thing. It just creates a symlink to some other directory.

I think we don't need to worry about it.

[kodypeterson]

@sheerun Are you sure? 😄

https://github.com/bower/bower/blob/master/lib/commands/link.js#L62

[Utsav2]

@kodypeterson Great work on this.

As @sheerun mentioned before, is it possible to squash this into meaningful commits and rebase against master? It's hard to review in its current state.

[sheerun]

@Utsav2 Could you do it instead and send another PR?

[Utsav2]

#2100

[iBasit]

If you need any help with testing, please feel free to message me.

[shyiko]

For what it's worth shrinkwrap functionality is available using bower-shrinkwrap-resolver. You might find it useful until this PR gets merged in.

[kodypeterson]

Alright @sheerun what are we going to do with this one? We missed the birthday celebration of this PR... Soon, it will be 2 years old.

It now has a bunch of conflicts, which I can work to resolve. Are the requirements above still accurate? If so, I can work to get a new PR started. If not, can we get a new issue opened with the correct requirements laid out so I can get to work on it. We need to get this functionality into bower.

It is very obvious the demand for it, and I am here to make it happen! Just let me know what I can do to get this going again!

PS: Sorry for dropping the ball on this PR, it sort of fell of my radar.

[sheerun]

@kodypeterson To release it as quickly as possible we'd need to put it in current 1.x version of bower, and make it backward compatible (opt-in). What sounds reasonable is:

• Squash all commits into one (it makes rebase easier)
• Rebase this PR onto master
• Add --lock flag to bower install to enable this feature when bower.json already exists
• Add a warning if there isn't a lockfile available, prompting to use --lock flag
• After bower.lock has been created, keep implemented behavior
• Do not modify any existing tests and only create new ones (when bower.lock is present)
• Make sure all current tests pass

If we ever release 2.0, we set --lock to be a default.

As for lock itself, I see it contains few extra keys we don't want, especially they contain absolute paths:

• endpoint, canonicalDir

  "endpoint": {
    "name": "bower",
    "source": "/Users/sheerun/Source/Bower/bower",
    "target": "1.7.9"
  },
  "canonicalDir": "/Users/sheerun/Source/Bower/bower",

Also, we need to put version of bower it was packaged with to version key, plus additional behavior:

• If bower minor version in bower.lock is greather than current bower version, refuse to install package, indicating that newer bower version is necessary.

I've also encountered an error when installing local package without bower.json:

Stack trace:
TypeError: Cannot read property 'pkgMeta' of undefined
    at /Users/sheerun/Source/Bower/bower/lib/util/lockFile.js:22:84
    at /Users/sheerun/Source/Bower/bower/node_modules/mout/object/forOwn.js:12:27

I can do more testing if we you manage to fix those. Thank you for being interested in continuing your work.

[sheerun]

@kodypeterson Also, then I did "bower install angular-route", only "angular-route" got saved to bower.lock, while it should also contain "angular".

[kodypeterson]

@sheerun I am on it, I will see what I can get through this weekend along with cleanup and such!

[Utsav2]

@kodypeterson I fixed it up into one commit and tried rebasing it some time
back in #2100, it might be useful to get started there.

On Aug 23, 2016 7:00 AM, "Kody J. Peterson" [email protected]
wrote:

@sheerun
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_sheerun&d=CwMCaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=jDVzeY6gHbUDoSom0QsiEI2ek-5FZO0iCFMJ3mE_qQs&m=VRx6CCxKMzIjyVpB-xwTuW70QIAAwG-6jGr4ccj0mXM&s=UNVDcmca6T38FOuTZU8EMei1B73YoZW0DNmpaJqj9vo&e=
I am on it, I will see what I can get through this weekend along with
cleanup and such!

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_bower_bower_pull_1748-23issuecomment-2D241740079&d=CwMCaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=jDVzeY6gHbUDoSom0QsiEI2ek-5FZO0iCFMJ3mE_qQs&m=VRx6CCxKMzIjyVpB-xwTuW70QIAAwG-6jGr4ccj0mXM&s=6UuuRZ_ihh5W6Jq2HDlkb7cNmCiJtkYwfxGoSk3m9EI&e=,
or mute the thread
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AFM7qwe84HVnbjsjSMJx2SKjs0A83W-2Dnks5qivzsgaJpZM4DydXS&d=CwMCaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=jDVzeY6gHbUDoSom0QsiEI2ek-5FZO0iCFMJ3mE_qQs&m=VRx6CCxKMzIjyVpB-xwTuW70QIAAwG-6jGr4ccj0mXM&s=V0KRIIhEPIjjEGdsqefhlI2jHn4iiyVIDysg8Rnfuy4&e=
.

[kodypeterson]

@Utsav2 awesome! i will see what I can get from that. I have a feeling that both being so long ago the merge process is going to be a rough one. I might just need to cherry pick manually the changes in and maybe reorganize a bit.

Thanks for the reference though!

[mcfilib]

@kodypeterson need any help?

[sheerun]

Maybe a better route is to fix bower support in https://yarnpkg.com/ that already has file locking

[mcfilib]

@sheerun I'm not entirely sure how practical that is; we're using PureScript which leverages Bower for dependency management and it looks like support for Bower in Yarn is really just in its infancy e.g. yarnpkg/yarn#896.

Does this mean that you would no longer be willing to consider this patch?

[sheerun]

Maybe we could at least adopt lockfile format of yarn?

[joelhandwell]

For those who want to use lock feature before this PR merged, bower-locker is a workaround to generate lockfile and commit only bower.json which is newly generated lock file and bower-locker.bower.json which is renamed original bower.json in your repo.

Run following commands to achieve it:

npm install bower-locker -g

or

yarn global add bower-locker

then generate lock file based on existing bower.json file by runing:

bower-locker lock

I want to express big thanks to @shawnlonas for writing this. Guys, let's give it stars if you find it useful https://github.com/infusionsoft/bower-locker

[kael-shipman]

Any news on this? Is it stalled out?

[twogee]

Why is this PR open when there is #2100?

[sheerun]

Bower is depreacted now and we recommend switching to Yarn that supports version locking and more. Here's guide how to migrate: https://bower.io/blog/2017/how-to-migrate-away-from-bower/