The formgrader extension relies on bower for the frontend dependencies that is serves.

Bower is deprecated and should not be used anymore, we can't update the dependencies.
This leads to security issues like https://github.com/jupyter/nbgrader/security/dependabot/60.

The 2 ways I can see to not use bower anymore are:

1. Using CDN for the frontend packages
   This would easily solve the problem as all the packages seems to be available over CDN.
   The drawback is that we need network access to run the application, and also to properly display the feedbacks
   

   nbgrader/nbgrader/server_extensions/formgrader/templates/feedback/index.html.j2

   Line 11 in 99e145b

   {{ resources.include_css('bootstrap.min.css')}}

   Reference to Reduce the size of feedback files #718 (comment)

2. Using NPM to download the dependencies in the static directory.
   Then the `node_modules directory would replace the current components directory, and could be included with the formgrader extension.
   That way it would be the same behavior as currently.

I would go for the 2nd way to reduce changes.

References:

• Consider migrating from bower to NPM #1348
• Migrate from bower to npm #1350