This repository has been archived by the owner on Nov 4, 2024. It is now read-only.
Fall Back On Licenses Field if License Field is Missing #4
Comments
4 tasks
noahnu
pushed a commit
that referenced
this issue
Apr 30, 2021
* fix: correct plugin import command in README (#4) * fix: parse all licenses in manifest.licenses (#4) If the license property is absent from the manifest, and the deprecated licenses property contains an array of licenses, then fetch all of them rather than only the first. Conservatively coerce them to a conjunctive (ANDs) SPDX license expression since it is ambiguous whether the licenses are meant to be interpreted conjunctively (ANDs) or disjunctively (ORs).
noahnu
pushed a commit
that referenced
this issue
Apr 30, 2021
* fix: fall back on manifest.licenses (#4) (#5) * fix: correct plugin import command in README (#4) * fix: parse all licenses in manifest.licenses (#4) If the license property is absent from the manifest, and the deprecated licenses property contains an array of licenses, then fetch all of them rather than only the first. Conservatively coerce them to a conjunctive (ANDs) SPDX license expression since it is ambiguous whether the licenses are meant to be interpreted conjunctively (ANDs) or disjunctively (ORs). * style: linting Co-authored-by: Kurt von Laven <[email protected]>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Is your feature request related to a problem? Please describe.
Some old packages like [email protected] and [email protected] use the deprecated
licensesproperty in their package.json without using the recommendedlicenseproperty.Describe the solution you'd like
It would be ideal if the license were extracted from these packages when the
licenseproperty is missing (perhaps only in--loosemode or behind a separate flag), and thetypeof all licenses in the array were combined into a single conjunctive (ANDs, not ORs) SPDX expression. It seems ambiguous whether these arrays are intended to represent conjunctive or disjunctive SPDX expressions, and I imagine anyone who cares enough about licenses to use your most excellent plugin would prefer to err on the side of caution.Describe alternatives you've considered
As a workaround, one can manually validate license compatibility for these packages and then configure CI to ignore specific test failures. A more convenient workaround might be to offer the package name and version number as parameters to
isValidLicenseso that the configuration can contain an allow list of manually validated licenses.A more ambitious alternative is for all users of this plugin to open pull requests against all packages that still use the
licensesproperty in their package.json and subsequently nudge all downstream packages to upgrade to the newer version of this package. That is a great civic action to take regardless, but this significantly increases the amount of friction involved in the typically thankless task of license auditing that is rarely prioritized to begin with.Additional context
[email protected] and [email protected] are indirect dependencies of [email protected]. exit is no longer maintained; a pull request moving from
licensestolicensein its package.json has been ignored for 6 years.The text was updated successfully, but these errors were encountered: