bower-locker is a node command line tool for providing "pseudo"-locking capability for a project leveraging
bower.
Bower doesn't inherently provide a locking mechanism (see https://github.com/bower/bower/issues/505).
Bower does allow you to specify a specific version or commit for a given dependency, and a way to specify how you would like to resolve any conflicts (i.e., within the resolutions block). This can be effective but it is tedious to do manually to both "lock" the versions, and the "unlock" the versions to get newer updates.
bower-locker simply automates that process to make it easier to "unlock" and "lock" that bower file. It also provides a way to validate that the files installed after a
bower install match the desired "locked" versions.
bower-locker reads through all of the subfolders of the
bower_components directory to examine each components
.bower.json where it extracts information pertinent to the release that is currently being used.
It then generates a new
bower.json (saving a copy of the original as
bower-locker.bower.json) where it defines each direct and indirect dependency (i.e., all components currently in the
bower_components directory) with an exact commit id, under the dependencies block and adds an entry for each in the resolutions block in the event that any of them tries to load a conflicting dependency version.
Both the new
bower.json and the original (saved as
bower-locker.bower.json) can then be uploaded to your source code repo.
Anybody pulling down the project, will be able to run
bower install normally and they should get the exact versions of the components previously used. The locked
bower.json also has the nice property of making it easy to see when dependent script versions have changed over the course of commits as the version number and commit id will show being updated. An unlocked
bower.json only shows changes when the version ranges are updated.
To validate that intended versions were installed, run
bower-locker validate. It will again compare the downloaded components with the
bower.json file.
To update the versions used, simply run
bower-locker unlock to return to the original
bower.json. Update the bower config as desired including running
bower install. When done, just run
bower-locker lock again to lock in that new version.
Install the
bower-locker module globally:
npm install bower-locker -g
This will install a global command of
bower-locker.
bower-locker lock
Expects to run from within a folder that contains a
bower.json and a
./bower_components/ folder.
If there is no
bower_components folder yet, just run
bower install first to generate it.
It should save a copy of
bower.json as
bower-locker.bower.json and then change
bower.json to be a "locked" version with an additional "bowerLocker" section.
The "bowerLocker" property object that contains the "lastUpdated" timestamp for when the locked version was generated. It also contains a "versions" property object within "bowerLocker" which records the versions that were locked in as a version number to more easily know what version we are using for each dependency.
Using the
-v flag will output the bower dependency versions that are being locked.
bower-locker unlock
Expects to run from within a folder that contains a
bower.json and a
bower-locker.bower.json.file.
It will check that
bower.json is a locked bower file. If so, it will simply replace
bower.json with
bower-locker.bower.json.
Use this command to unlock the bower file for manual updates and edits. When done updating and editing the
bower.json or the
bower_components folder, run
bower-locker lock to relock it.
bower-locker validate
Expects to run from within a folder that contains a
bower.json and a
./bower_components/ folder.
It will check that
bower.json is a locked bower file. If so, it will check through all
bower_components metadata and compare the components found there with the locked versions within
bower.json.
It will report and new or missing components, and any version differences.
Run validate to make sure that all
bower_components were installed as expected.
bower-locker status
Expects to run from within a folder that contains a
bower.json.
It will report whether or not the
bower.json is a locked bower file, and the time it was locked.
Using the
-v flag will also output the locked bower dependency versions.