158

Would it be good practice to keep only the bower.json file and gitignore the whole bower_components directory?

Tim
  • 41,901
  • 18
  • 127
  • 145
Pierre de LESPINAY
  • 44,700
  • 57
  • 210
  • 307
  • I just noticed a [Symfony's official cookbook](http://symfony.com/doc/current/cookbook/frontend/bower.html#should-i-git-ignore-or-commit-bower-assets) that actually answers to this exact question, quoting "Currently, you should probably commit the assets downloaded by Bower instead of adding the directory to your `.gitignore` file" – Pierre de LESPINAY Jun 12 '16 at 15:23

6 Answers6

150

The official Bower page stated:

N.B. If you aren't authoring a package that is intended to be consumed by others (e.g., you're building a web app), you should always check installed packages into source control.

Make sure to check out the link in the quote, it discusses some pro and cons. The main pro it mentions is that checking them in ensures that your dependencies are always available, as long as your repository is available. No matter what happens to Bower, GitHub or whatever else would be needed otherwise.

TimWolla
  • 31,849
  • 8
  • 63
  • 96
  • 1
    Thank you for this interesting article. So for now we still have no "lock file" equivalent to freeze the versions. – Pierre de LESPINAY Mar 11 '14 at 14:37
  • 1
    @PierredeLESPINAY Only for the top level. What's missing is an equivalent of the npm shrinkwrap feature. – passy Mar 12 '14 at 15:19
  • 3
    They also say this in their blog post "Ultimately, the choice of whether or not to check-in all of your /bower_components directory is up to you...". – Krishnaraj Mar 08 '16 at 17:26
  • 3
    The reasoning behind checking them in is that some day the library might disappear from internet or their could be some down time which in turn could cause build failures. As a Maven/Gradle user I never think about checking in dependencies. – Krishnaraj Mar 08 '16 at 17:35
  • 7
    The advice on the official Bower page to check installed packages in to source control was removed in 2014: https://github.com/bower/bower.github.io/commit/07d98161cd459be38a5fa7ff73fdc6ff1028d5ad – user Aug 29 '16 at 23:32
  • I'm a bit torn with this, as I like the cleaner repo of not committing the whole directory, but also don't want to get caught out. In the python world, it's much more of a clear option that you would not commit dependencies, due to different build processes for different operating systems. If the python world is happy to work like that, why would the bower/npm world be different? – Chris Barry Jan 09 '17 at 22:15
  • When Addy Osmani wrote the blog post on July 29, 2013, shrinkwrap capability was the disadvantage for ignore /bower_components and only check in bower.json. However, Jun 10, 2016 Shawn Lonas developed https://www.npmjs.com/package/bower-locker and it's not disadvantage anymore although the issue (https://github.com/bower/bower/issues/505) in bower repo still not solved as of March 21, 2017 – Joel Handwell Mar 21 '17 at 21:22
  • The quoted link points to non-credible source. My personal advice - don't check in publicly available 3rd party libraries. – Miro J. Aug 16 '17 at 23:06
52

The .gitignore file in a newly generated Yeoman AngularJS project has bower_components (and node_modules) listed to be ignored (if you don't know Yeoman it is a very reputable web scaffolding tool for modern webapps, so that's good enough for me!):

.gitignore

node_modules
dist
.tmp
.sass-cache
bower_components
user12121234
  • 2,519
  • 2
  • 25
  • 27
10

There's a time & a place for both approaches. For Yeoman it's appropriate to rely on bower.json because it's a tool in a toolchain and needs to stay living and breathing with the bower ecosystem. For a deployable web app, it's generally good practice to commit dependencies and maintain more control.

Here's an good article I like that discusses this.

JoshuaDavid
  • 8,861
  • 8
  • 47
  • 55
6

If you're using Grunt and Node with Bower it makes sense to put bower_components in your .gitignore because when you run grunt serve or grunt build it takes care of the dependencies for you, I'm sure that's why in Yeoman they add it to the .gitignore

Yves
  • 129
  • 1
  • 7
5

The Yeoman generator pre-filled the .gitignore file with bower_components, but it also pre-filled with other directories I would think would be needed for a final app (like www) so I did some research.

I discovered that www/index.html is a minified version of the app/index.html. The app directory and its contents (including bower_components) contains the source files needed for the output directory (www). You commit source directories into source-control (i.e. git) but not generated files (i.e. www). Package managers like bower and npm are meant to be used during the build/generation phase and their artifacts are not meant to be checked into source-control.

Ultimately, the source that you check into git is the bare minimum configuration needed to build the rest of project for development or deployment purposes.

Erich Cervantez
  • 51
  • 1
  • 2
0

It is good to ignore /bower_components dir and check in only bower.json and bower-locker.bower.json file if you create lock file using bower-locker written by Shawn Lonas.

Before bower-locker created, there was disadvantage caused by an issue of bower not having shrinkwrap capability but it can be mitigated by the above library.

Run following commands to achieve it:

npm install bower-locker -g

or 

yarn global add bower-locker

then generate lock file based on existing bower.json file by runing: 

bower-locker lock

The original bower.json file will be re-named to bower-locker.bower.json

Joel Handwell
  • 742
  • 1
  • 10
  • 18