Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for resolving npm dependencies' licenses #48

Merged
merged 2 commits into from
Jul 25, 2021
Merged

Add support for resolving npm dependencies' licenses #48

merged 2 commits into from
Jul 25, 2021

Conversation

zooltd
Copy link
Contributor

@zooltd zooltd commented Jul 23, 2021

  1. Parse the project package.json file to gather the required packages
  2. Run command 'npm install' to install or update the required node packages (can skip)
  3. Walk through each package's root directory to resolve licenses
    • STEP 1: Try to find and parse the package.json file to capture the license field
    • STEP 2: Try to find the license file to identify the license

@wu-sheng
Copy link
Member

You should update the doc to show how to use this.

@wu-sheng wu-sheng requested a review from kezhenxu94 July 24, 2021 00:36
@wu-sheng wu-sheng added this to the 0.2.0 milestone Jul 24, 2021
kezhenxu94
kezhenxu94 reviewed Jul 25, 2021
View reviewed changes
Copy link
Member

@kezhenxu94 kezhenxu94 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a very good start point to resolve dependencies’ licenses in NPM projects.

This PR only resolves the direct dependencies’ licenses, will you continue to resolve their transitive dependencies in next PR?

@zooltd
Copy link
Contributor Author

zooltd commented Jul 25, 2021

This is a very good start point to resolve dependencies’ licenses in NPM projects.

This PR only resolves the direct dependencies’ licenses, will you continue to resolve their transitive dependencies in next PR?

Glad to take it. Also, I'm planning to resolve dev-dependencies' licenses.

@wu-sheng
Copy link
Member

Notice, dev-dependency is not binary level or source code level dependency.
They mostly are considered as a convenient tools to enhance dev stage.
I could recommend to process transitive dependency. A.k.a, dependencies of dependencies. Those are true runtime dependencies too.

@wu-sheng
Copy link
Member

Dev-tool should not include commercial or unknown licenses. But even GPL and AGPL are fine to use, that is what I mean different.

@zooltd
Copy link
Contributor Author

zooltd commented Jul 25, 2021

Notice, dev-dependency is not binary level or source code level dependency.
They mostly are considered as a convenient tools to enhance dev stage.
I could recommend to process transitive dependency. A.k.a, dependencies of dependencies. Those are true runtime dependencies too.

Got it. I will work on this feature in next PR.

@kezhenxu94 kezhenxu94 merged commit d6e232b into apache:main Jul 25, 2021
@kezhenxu94 kezhenxu94 mentioned this pull request Aug 6, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kezhenxu94 kezhenxu94 kezhenxu94 approved these changes

Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
0.2.0
Development

Successfully merging this pull request may close these issues.
3 participants
@zooltd @wu-sheng @kezhenxu94