Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

allowedPackages bypasses detection of licences not in allowedLicenses #15

Open
akloeber opened this issue Jan 21, 2019 · 0 comments
Open

Comments

@akloeber
Copy link

Any entry in allowedPackages makes the warning for the custom license in package @progress/[email protected] disappear.

Reproduction:
Create the following package.json:

{
  "name": "lic",
  "version": "1.0.0",
  "dependencies": {
    "@progress/kendo-schematics": "0.2.5",
    "colors": "0.5.1",
    "license-to-fail": "3.0.0"
  },
  "license-to-fail": {
    "allowedPackages": [],
    "allowedLicenses": [
      "MIT",
      "Apache-2.0",
      "BSD",
      "ISC",
      "WTFPL",
      "Unlicense",
      "CC0-1.0",
      "CC-BY-3.0",
      "CC-BY-4.0"
    ]
  }
}

Running npm install && ./node_modules/.bin/license-to-fail gives the following output:

INDIRECT DEP - @progress/[email protected] SEE LICENSE in LICENSE.md: https://github.com/telerik/kendo-schematics
INDIRECT DEP - [email protected] UNKNOWN: https://github.com/Marak/colors.js

This is fine as [email protected] does not have any license information attached and kendo-schematics refers to a custom license file in its package.json.

But after adding an exclusion for package colors the warning for kendo-schematics also vanishes:

...
    "allowedPackages": [
      {
        "name": "colors",
        "reason": "checked manually: license is MIT, see https://github.com/Marak/colors.js/blob/master/LICENSE"
      }
    ],
...

Furthermore, if name is set to foo only colors is reported. So any entry in allowedPackages makes the warnings for the kendo-schematics license disappear.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant