Migrating Away From Bower
Reading time: 3 min 04 sec
Why? In the long living project, I was working at, the portion of
All Bower versions < 1.8.8 are vulnerable and someone could hack your computer if you won’t update. Please npm install -g bower and also update your docker images if you use them
— Bower (@bower) 15 lutego 2019
Since the usage was quite custom since it aimed at direct files from bower packages I decided not to use any automated tool as I had not much confidence in whether I won’t break the app. Low test coverage of subject features didn’t help.
Here are few gotchas that made transition difficult but once realized allowed me to proceed with higher confidence.
I was moving packages from bower.json to package.json one by one. On each package, I was searching if it was used at all and verifying if the versions available on
As we were targeting the relative file path it seemed like the same version of the same package will have the same folder structure. It turned out that sometimes the library was available in /build directory in
To sum upMake sure to check where the dist file is located.
A package might not not have a same version
Since bower and
I copied the required files and saved them into the repository, then referenced them in grunt tasks. This allowed me to keep on using the same version of the package. However, this introduces a
repositoryis getting bigger,
- package is not reflected in package.json risking it’s forgotten during refactor.
I still believe that the tradeoff is still worth it.
As a side note – be sure to only copy files that you’ll need and leave out the source, tests, and unnecessary dependencies. I would still recommend to keep package.json so that the future developer that looks at the files knows what it is.
To sum upCopy only what you need and reference it properly.
You might not need it
It turned out that about 3/4 dependencies
To sum upIf possible – delete unneeded dependencies.
Migrating away from bower can be easy and fast if you’re careful. Keep in mind the gotchas and you should be fine. Verify the bundle after moving/removing each dependency to be sure that you’re not silently breaking anything.
Author: Józef Piecyk