In the space of four years, an ingenious software solution named Bower enabled the swift deployment of countless web applications. What is Bower? Bower is a pioneering package manager, and anyone aiming to deploy secure and reliable web applications can benefit from knowing its story.
While npm proved just as reliable for the client-side, loading time was a problem. Automatically loading hefty libraries poses no difficulties on the server side, but the practice can severely impair client-side user experiences. With web browsers, snappy performance is imperative. By 2012, client-side software engineers longed for the type of breakthrough that npm provided for their server-side counterparts. A little birdie would deliver it.
Two engineers in Twitter’s open source project, Alex MacCaw and Jacob Thornton, came up with a solution to npm’s client-side bloat. They named their open-source creation Bower, drawing inspiration from the industrious bowerbird. Bowerbirds build a structure, known as a bower, by gathering bits and pieces from the surrounding forest. In sync with Twitter’s corporate symbol, Bower adopted the bowerbird for its logo.
While npm inhaled every dependent package available, Bower merely installed developer-chosen packages and resolved dependencies. Along with packages, Bower could also handle dependencies for webpage elements such as HTML, cascading style sheets, fonts, and image files.
Bower’s stripped-down nature put the burden on developers to manage all client-side dependencies. While this necessitated significant hours of painstaking work, the engineers of this era welcomed the happy tradeoff. With total control over package loading, developers could finally build a flat dependency tree, a structure with no unnecessary packages to load. The slimmed-down dependency tree in turn enabled highly responsive interfaces for end-users. Bower’s snappy front-end performance ably complemented npm’s bulletproof server-side performance.
Bower quickly won the adoption of web developers ranging from hobbyists to Microsoft. Indeed, the Redmond software giant praised Bower as “the only front-end-only package manager solution” of the era. Over the next three years, Bower’s registry grew exponentially with new packages and skyrocketing requests. Nonetheless, by 2015 the shortcomings that would eventually sideline the package manager were becoming apparent.
Unlike npm, Bower could never load more than one version of a package, and coding around this shortcoming proved increasingly aggravating to front-end developers. With its third version, the npm team released a clean-sheet overhaul with a game-changing feature: the ability to automatically generate flat dependency trees with multiple versions of the same package. Granted, npm3’s dependency trees were not as flat and efficient as the trees from the sharpest Bower coders, but they were good enough for many app developers.
With its efficiency edge largely eroded, the case for developing with Bower substantially weakened. Likewise, developers who posted packages for both npm and Bower began to question the logic of supporting two incompatible registries. Three years after the package manager’s introduction, the hacker community had learned to exploit Bower’s vulnerabilities. More and more examples of malicious code were sneaking onto the Bower registry. Purging corrupted packages consumed more time and energy for Bower’s development team.
Competition surged as well. Derivatives of npm from other developers began to sport feature sets exceeding both npm and Bower. The triple whammy of hackers, npm3, and npm-based derivative package managers sparked rumors that the Bower team was eyeballing deprecation for their four-year-old creation. In the fall of 2016, the Bower team announced on their homepage that development would cease. With bug fixes continuing indefinitely, Bower moved to deprecation status.
Years after the deprecation announcement, Bower remains a player in client-side package management. As recently as March 2020, the Bower team reported over 20,000 active users and 40 million registry requests per month. Why is Bower still around? Migrating existing and reliable web apps is not cost-effective for many developers. Nonetheless, the future belongs to a new generation of package managers.
Yarn and webpack
The Yarn and webpack combo is the alternative endorsed by Bower’s creators. A derivation of npm, Yarn emerged from Facebook’s open-source operation. In addition to the considerable muscle of its parent company, Yarn also enjoys the full support of Google. The Yarn client-side package manager brings impressive features to the table:
- Package Caching: In Yarn, a package retrieved from the internet is preserved in memory, cached, for the life of a session. This feature yields a tangible speed improvement. Equally important, by reducing interactions with the web, Yarn shrinks the attack surfaces for hackers.
- Checksums: To catch corrupted files, Yarn generates hashed checksums from the contents of each package. When first deployed in 2016, this feature gave Yarn a significant security edge over competitors.
- Parallel Installation: Effectively creating a multilane highway for data, Yarn’s parallel installation speeds package loading.
- Lock File: Because packages may undergo minor revisions in a session, Yarn creates a lock file with the first installation of every package. With subsequent loads, Yarn retrieves the package version saved in the lock file.
The webpack module bundler tool also earned the Bower team’s endorsement by taking over the mission of static file management. webpack is highly user-friendly and can help build apps with install times comparable to expert Bower coding. Yarn and webpack in tandem now supersede all of Bower’s capabilities.
npm and Browserify
Pressured by Yarn, npm’s development team responded with a rapid-fire series of updates to the venerable package manager. npm6 now boasts a version of lock files and package caching. An audit command bolsters security. In the opinion of many engineers, the rejuvenated npm6 has pulled ahead of Yarn with speedier cache performance and shorter install times for lock-filed node modules. With the package manager’s server-side reputation as strong as ever, npm6 can build a persuasive case as a comprehensive front-end to back-end solution.
As a module bundler, Browserify is more narrowly focused than webpack, and taking full advantage of its features requires more coding time. Some developers believe the extra coding overhead is worth it. In the opinion of these engineers, the npm6 and Browserify combo bests Yarn and webpack in load times for mobile devices.
Bower, Yarn, and the later versions of npm achieved speed by flattening the dependency tree. Introduced in 2017, the pnpm package manager takes a different approach. Designed to maximize loading speed and minimize storage space, pnpm debuted with extraordinarily strict hierarchy rules for developers. In response to the developer community, the latest version introduced user-friendly refinements while preserving impressive execution speed. Coders willing to tackle this package manager’s complex module structure can build applications with install times two-thirds shorter than its better-known competitors.
Microsoft’s .NET environment remains friendly to Bower, but the deprecation announcement prompted the Redmond team to create an in-house library manager. Libman is a lightweight solution for developers working entirely inside of the .NET environment. Optimized for Microsoft’s ecosystem, LibMan helps build very compact applications.
Bower’s Lessons for Software Composition Analysis
Bower and its successor package managers freed developers to focus on their prime mission: creating great apps for customers. At SOOS, we bring that same attitude to our SCA tools. Forget about migration hassles, SOOS SCA scanner seamlessly integrates with the tools you are already using:
- Supported Languages: Python, Ruby, Node.js, .NET, and Java
- Supported Frameworks: Atlassian Bamboo and Jira, Microsoft Rocket, CloudBees Codeship, Amazon Web Services CodeBuild, GitLab, Jenkins Automation Server, CircleCI, Travis CI, TeamCity CI/CD, and GitHub Actions.
Because security is not an option, we track well over 100,000 vulnerabilities. Our streamlined dashboards provide you with actionable details and severity readings for each vulnerability in your project.
Additional capabilities include:
- Wizard for governance policies
- Legal analyst for license exposure
- Unlimited projects, scans, and users
- SPDX standard bill of materials generation
The world is waiting for your next app. Take charge of your SCA with SOOS.