Should bower_components be gitignored?
Would it be good practice to keep only the bower.json file and gitignore the whole bower_components directory?
The official Bower page stated:
N.B. If you aren't authoring a package that is intended to be consumed by others (e.g., you're building a web app), you should always check installed packages into source control.
Make sure to check out the link in the quote, it discusses some pro and cons. The main pro it mentions is that checking them in ensures that your dependencies are always available, as long as your repository is available. No matter what happens to Bower, GitHub or whatever else would be needed otherwise.
The .gitignore file in a newly generated Yeoman AngularJS project has bower_components (and node_modules) listed to be ignored (if you don't know Yeoman it is a very reputable web scaffolding tool for modern webapps, so that's good enough for me!):
node_modules dist .tmp .sass-cache bower_components
There's a time & a place for both approaches. For Yeoman it's appropriate to rely on bower.json because it's a tool in a toolchain and needs to stay living and breathing with the bower ecosystem. For a deployable web app, it's generally good practice to commit dependencies and maintain more control.
Here's an good article I like that discusses this.
If you're using Grunt and Node with Bower it makes sense to put bower_components in your .gitignore because when you run grunt serve or grunt build it takes care of the dependencies for you, I'm sure that's why in Yeoman they add it to the .gitignore
The Yeoman generator pre-filled the .gitignore file with bower_components, but it also pre-filled with other directories I would think would be needed for a final app (like www) so I did some research.
I discovered that www/index.html is a minified version of the app/index.html. The app directory and its contents (including bower_components) contains the source files needed for the output directory (www). You commit source directories into source-control (i.e. git) but not generated files (i.e. www). Package managers like bower and npm are meant to be used during the build/generation phase and their artifacts are not meant to be checked into source-control.
Ultimately, the source that you check into git is the bare minimum configuration needed to build the rest of project for development or deployment purposes.
Before bower-locker created, there was disadvantage caused by an issue of bower not having shrinkwrap capability but it can be mitigated by the above library.
Run following commands to achieve it:
npm install bower-locker -g
yarn global add bower-locker
then generate lock file based on existing bower.json file by runing:
The original bower.json file will be re-named to bower-locker.bower.json