Git Best Practice with Coldbox

Does anybody have any views about using Git with coldbox…

Running git using the standard .gitignore seems to mean that if you upgrade/change modules or versions you can’t get back to a working system.

However, zipping the whole directory means you can revert if necessary - this implies that the whole directory should be under git ie not using gitignore at all…

Any thoughts?



Why not? There’s no reasonable cause for your ColdBox installation to be unrecoverable simply because you don’t have packages tracked in source control. Do you track npm packages (the node_modules directory) in source control? It’s HUGE. There are enormous downsides to tracking 100 MB (or, shoot, 1 GB) of dependencies in version control, and there’s simply no reason to in the first place.

You talk about tracking the modules/ directory in version control, but never mention your box.json which is the source of truth for your dependencies.

Here’s how your development process should be:

  1. Write code.
  2. Add dependencies as needed - for example, box install cbsecurity. These requirements are noted in box.json which must be tracked in source control.
  3. “Pin” your dependencies to a specific version. i.e. install cbsecurity@3.0.0 instead of install cbsecurity.
  4. On development machine set up or CI build, etc. run git clone && box install and you are all set.

Your box.json 's dependencies should look something like this:


When running box install, you will get the exact versions of the exact dependencies you asked for.

This is far preferable to git tracking a huge amount of source code over which you have zero control. Your editor will be slower (file search auto-excludes directories ignored via .gitignore), your builds will be slower, and your git push commands will certainly be much slower.


With that said… If you have specific reasons why you can’t auto-install dependencies from Forgebox, then we can have that discussion. (For example, if you are a government entity who needs the ability to deploy offline with no Forgebox connection.)

So far, I haven’t seen any good reason to bundle the modules/ directory, but it may depend on your specific use case.

1 Like

Hi Michael

Yes - I overlooked that. Just running box install with the old box.json should bring back everything.

That was the step I missed - damm newbies!




No worries! Being a “newbie” is the first step on the road to being a pro. :slight_smile: