Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds dependency review action to verify allowed licensed dependencies #3306

Merged
merged 1 commit into from
May 15, 2024
Merged

Adds dependency review action to verify allowed licensed dependencies #3306

merged 1 commit into from
May 15, 2024

Conversation

ericwb
Copy link
Contributor

@ericwb ericwb commented May 14, 2024
edited
Loading

This change will add a new action to scan the dependency's licenses for any that may not be allowed for this project.

The pip-licenses command was run to get a dump of all the licenses associated with this repo and put into the allow-licenses list. Normally, you might only want to use deny-licenses list, but for packages like Redis, there is no defined SPDX identifier for it.

Note: this list will require future maintenance as dependencies get added that are not already in the allow list.

https://spdx.org/licenses/
https://github.com/raimon49/pip-licenses

Related to issue #2901

All Submissions:

  • Have you followed the guidelines stated in CONTRIBUTING.md file?
  • Have you checked to ensure there aren't any other open Pull Requests for the desired changed?

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)

New Feature Submission:

  • Does your submission pass the tests?
  • Have you linted your code locally prior to submission?

Changes To Core Features:

  • Have you added an explanation of what your changes do and why you'd like us to include them?

After these steps, you're ready to open a pull request.

a. Give a descriptive title to your PR.

b. Describe your changes.

c. Put `closes #XXXX` in your comment to auto-close the issue that your PR fixes (if such).

@ericwb
Adds dependency review action to verify allowed licensed dependencies
3039858 
This change will add a new action to scan the dependency's licenses
for any that may not be allowed for this project.

The pip-licenses command was run to get a dump of all the licenses
associated with this repo and put into the allow-licenses list.
Normally, you might only want to use deny-licenses list, but for
packages like Redis, there is no defined SPDX identifier for it.

Note: this list will require future maintenance as dependencies get
added that are not already in the allow list.

https://spdx.org/licenses/
https://github.com/raimon49/pip-licenses

Related to issue reflex-dev#2901

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
@ericwb
Copy link
Contributor Author

ericwb commented May 15, 2024

I should also add that there is a transitive dependency on package docutils which does have a GPL license associated with it. This can potentially affect the Reflex Hosting Service if that code is not also open sourced and the code is linked.

From pip-licenses:
docutils 0.21.2 BSD License; GNU General Public License (GPL); Public Domain; Python Software Foundation License

https://pypi.org/project/docutils/

@ericwb
Copy link
Contributor Author

ericwb commented May 15, 2024
edited
Loading

So docutils is a transitive dependency of twine.

├── twine [required: >=4.0.0,<6.0, installed: 5.0.0]
│   ├── readme_renderer [required: >=35.0, installed: 43.0]
│   │   ├── docutils [required: >=0.13.1, installed: 0.21.2]

Although you probably wouldn't consider this a derivative work, so that might just be fine.

Before merging this PR, I think disallowing GPL should be considered. It could affect any private code of Reflex that "statically links" to code in this repo (copyleft). But it could also affect stakeholders using Reflex that don't wish to open source their UI.

@masenf masenf merged commit 30c8a07 into reflex-dev:main May 15, 2024
47 checks passed
@ericwb ericwb deleted the dependency-review-action branch May 15, 2024 19:59
benedikt-bartscher pushed a commit to benedikt-bartscher/reflex that referenced this pull request May 16, 2024
@ericwb @benedikt-bartscher
Adds dependency review action to verify allowed licensed dependencies (
58f3c4e 
…reflex-dev#3306)

This change will add a new action to scan the dependency's licenses
for any that may not be allowed for this project.

The pip-licenses command was run to get a dump of all the licenses
associated with this repo and put into the allow-licenses list.
Normally, you might only want to use deny-licenses list, but for
packages like Redis, there is no defined SPDX identifier for it.

Note: this list will require future maintenance as dependencies get
added that are not already in the allow list.

https://spdx.org/licenses/
https://github.com/raimon49/pip-licenses

Related to issue reflex-dev#2901

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Lendemor Lendemor Lendemor approved these changes

@masenf masenf masenf approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ericwb @masenf @Lendemor