Move bower and bower-installer to devDependencies

[nkoder]

I've just noticed that in my project (which uses karma-jasmine-jquery) I get warning during npm install. This warning is about bower-installer not installed globally. And it comes as dependency of karma-jasmine-jquery.

Dev dependencies like bower shoudln't go into dependencies section of package.json to not pollute other projects which are using karma-jasmine-jquery. They should go into devDependencies section.

[JenniferSpry]

+1

[mbritton]

+1

[mhart]

Yeah... this actually makes karma-jasmine-jquery an 80MB dependency!!!

[ijabit]

Yes, and having the git:// protocol used in a dependency blocks installation in our corporate network. The firewall only allows port 443 and 80 outbound to Github!

[ashawley]

A security tool that audits our package.json complains about vulnerabilities in dependencies. It's complaining about the old dependencies in karma-jasmine-jquery that are being brought in from bower. For example, handlebars 2.0.0 has this vulnerability, CVE-2015-8861.

$ npm ls handlebars
[email protected]
└─┬ [email protected] (git+https://github.com/bessdsv/bower-installer.git#7f9cece1e6fada50f44dc0851e1d85815cd1b4a7)
  └─┬ [email protected]
    └── [email protected] 

Could you merge #16 and make a release if possible?

[insetavijit]

yes , same issue as @ashawley . do some update stuff . man

[nemoDreamer]

Any movement on this, @bessdsv ? That version of bower has been a critical security issue for a long time now, and there's no need to have it as a dependency.

[angezid]

I solved bower dependency by uninstalling karma-jasmine-jquery package (it uninstalled bower and all its dependencies) and installed @metahub/karma-jasmine-jquery.