Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing licenses for npm packages #993

Open
stdedos opened this issue Jul 17, 2023 · 6 comments
Open

Missing licenses for npm packages #993

stdedos opened this issue Jul 17, 2023 · 6 comments

Comments

@stdedos
Copy link

stdedos commented Jul 17, 2023

Dependencies that need approval:
acorn-import-assertions, 1.9.0, unknown
cookie-signature, 1.0.6, unknown
import-in-the-middle, 1.4.1, unknown
tr46, 0.0.3, unknown
There are unapproved licenses. Run the license finder locally in your repository:

e.g https://github.com/xtuc/acorn-import-attributes/blob/main/package.json#L23 has proper linkage for licenses, I don't understand what would be the issue.

@cf-gitbot
Copy link
Collaborator

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

@stdedos
Copy link
Author

stdedos commented Jul 17, 2023

This is also a regression from 6.15.0, where only

Dependencies that need approval:
acorn-import-assertions, 1.9.0, unknown
There are unapproved licenses. Run the license finder locally in your repository:

is an issue (and also the Dependencies that need approval: is not colored in v7, which is nice to tell the interesting text apart from the wall of CI text)

@xtreme-shane-lattanzio
Copy link
Contributor

Hey @stdedos Thanks for raising this. At the beginning of the year, we did have an update to support later versions of NPM. I wonder if something was missed. FYI the PR is here: #963. Which npm version was this in? The parsing may just need a tweak.

@stdedos
Copy link
Author

stdedos commented Jul 22, 2023

$ npm -v
9.6.7

In npm list --json --long --all I've found no "relevant output" for acorn-import-assertions (even though it exists in https://github.com/xtuc/acorn-import-attributes/blob/main/package.json) - but the others (I tried only cookie-signature) appear normally.

Instead of "playing around", would you consider testing it? Just add

@opentelemetry/instrumentation@0.41.0 (or @opentelemetry/instrumentation-http@0.41.0?)
express@4.18.2
@azure/opentelemetry-instrumentation-azure-sdk@1.0.0-beta.4
@azure/storage-blob@12.14.0

as dependencies, and see what the test leads you with.

I'd do it myself, but I have no ruby/testbed to DIY

@stdedos
Copy link
Author

stdedos commented Aug 15, 2023

@xtreme-shane-lattanzio (as you don't have Discussions active):

When is https://github.com/pivotal/LicenseFinder planning to make a release?
v7.1.0...master is already growing a lot.

"Maybe" there is something on master that would help (or make things worse).

Your latest release https://github.com/pivotal/LicenseFinder/releases/tag/v7.1.0 is coming up on 9mo old 😕

@henriksjostrom
Copy link

I have the same issue for these libraries. Is license finder not checking the package json license and only going for the LICENSE file?

As acorn-import-assertions doesnt have a LICENSE file, just a MIT license in package.json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants