Remove the four npm dependencies of which use software licenses that violate the tenets of open source and are incompatible with parent MIT licensed modules.

[ghost]

What problem does this feature solve?

The following four deeply nested dependencies use DBAD licenses, which are incompatible with MIT Licenses, due to the fact that they state that a pint is owed to the maintainer of these modules if significant amount of wealth is made off of software that uses these modules.

Whether or not this is what the maintainer intended, the license implies that not sharing a pint with the maintainer is a direct violation of the license.

https://github.com/RIAEvangelist/node-ipc

https://github.com/RIAEvangelist/js-queue

https://github.com/RIAEvangelist/js-message

https://github.com/RIAEvangelist/easy-stack

I would like to recommend to the entire Vue.js community, that we take a stance similar to the one that Apache takes on nonsensical licenses:

Nonsensical licenses
These licenses while amusing to their creators are legally problematic. They often include subjective Field of use restrictions e.g. “Don’t be evil” with no arbiter for that subjective restriction defined. In some cases they may not even grant sufficient rights to conform to the OSI open source definition. Since we do not wish to surprise our downstream consumers we forbid the use of such licenses.

I am aware that there are a large amount of libraries used by the node.js community that have these modules as dependencies - however, I think this is due to unawareness not by choice. I am not suggesting we convince the entire node.js community to discontinue usage of these libraries, however I would like to encourage at least the Vue community look into finding out what options we have.

Everything I am saying is out of pure individual interest. I am not an informed lawyer. I do not represent the views of a company.

Licenses such as DBAD will cause useful libraries to be avoided by entire companies so as to steer clear of what is implied by the DBAD license terms.

If we can come up with a solution, we can benefit the community in two main ways:

1. Increase the amount of adoption of the Vue.js framework and all of its associated tools (For the companies that would only consider seriously adopting the framework if they also adopted usage of the vue-cli)
2. Remove the risk of legal implications and public embarrassment of lawsuits that could possibly occur over the terms that are implied in the DBAD license text.

Again- I do not represent the views of a company nor of a lawyer.

My main goal is to increase the adoption and usage of Vue.js and the Vue-cli.

If there is a better forum to bring this issue to the attention of the community, can someone help me do so? I have never had to do something like this before.

What does the proposed API look like?

There is no API for this feature request. I was not sure if this should be opened as a Bug Report or Feature Request since those are the only two options on this form.

Regarding the approaches we could take to mitigate this problem:

1. Ask the maintainer to change the license of these four modules himself
   I know of one individual who asked already, and the maintainer didn't seem to want to drop the DBAD license completely. I'm not sure if the maintainer will listen if the entire community chimes in.

2. Ask the maintainer to dual license. If the maintainer wants to be able to make a statement with the DBAD license, he will still be able to do so - however adding a second license like the MIT license will remove the risk that is currently imposed on the rest of the community

3. Get the Vue-cli community to investigate and develop different solutions to our problems. If it comes to it, the only way to get away from using the software in these modules may be to remove the current usage of those for modules with the DBAD license. Other solutions will have to be considered.

The downside of this last approach, is that finding alternative solutions may in fact be difficult.

https://dbad-license.org/

[ghost]

@sodatea Thanks a ton for putting this on your radar

[ghost]

@sodatea Unfortunately it appears that the original maintainer really doesn't want to change their license away from DBAD to MIT or some other approved license. ( https://github.com/RIAEvangelist/node-ipc/issues/133 )

Is it even feasible to have a future version of vue/cli drop those four modules as dependencies?

[caleuanhopkins]

So I've just run into this exact same problem in the same circumstances. It looks like the 4 repos are a dependency of node-ipcwhich in itself is a dependancy of @vue/cli-shared-utils. I wonder if there is an ability to turn off certain utility libraries if one wasn't building the vue app to connect to say a node.js server?

[Akryum]

I guess we can refactor to websockets and drop node-ipc.

[caleuanhopkins]

Would be ideal, although would it be needed for people using node.js? Not 100% sure on how to contribute to the @vue/cli-shared-utils repo but happy to contribute where I can! 😄

[Akryum]

Hum people using vue cli already need node.js. node-ipc is mainly used for plugin to communicate with the vue cli UI server.

[caleuanhopkins]

Ah apologies, that didn't click before, makes sense now

[ZRogerson]

Forgive my ignorance on the subject but would there be a way to remove the UI part of vue-cli? If that's the only part of the project that's using it and we don't have to use the UI couldn't we get by without it?

[RIAEvangelist]

Hey guys, maintainer of all of those packages here.

Apologies, for the delay in everything. I'm going to be updating all of the licenses to apache 2.0 from DBAD.

[joschi127]

Hello @RIAEvangelist ... We are running into the same issue for one of our projects. With the DBAD license we are not able to pass the license check.
So we would be really happy if you could update the license of your packages from DBAT to apache 2.0 as suggested.
(PS: Will also be happy to buy you a pint. Will send you a mail about this.)

[bkhatkov]

Guys, @RIAEvangelist, any progress on this one? This becomes an issues that can impact our decision on to use Vue or stick to Angular despite how painful is it going to be...

[RIAEvangelist]

What would be the best license and why? My goal is to make this as open-source as possible. I do not want someone to say they own this code in the future thereby preventing others from using it.

…

On Fri, Oct 30, 2020 at 9:15 AM bkhatkov ***@***.***> wrote: Guys, @RIAEvangelist <https://github.com/RIAEvangelist>, any progress on this one? This becomes an issues that can impact our decision on to use Vue or stick to Angular despite how painful is it going to be... — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2621 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAC2DEOP42DDOVVLGOXFIG3SNLRDTANCNFSM4FXOXYHA> .

[RIAEvangelist]

Updated each to MIT, then published the updated version.

[bkhatkov]

@RIAEvangelist, hey. That is highly appreciated. Thank you.

[haoqunjiang]

@RIAEvangelist Thank you so much!

One small problem, though, is that the js-message dependency is pinned to the old version, as said in https://github.com/RIAEvangelist/node-ipc/issues/184

[RIAEvangelist]

OK, fixed in patch 9.1.3 thanks.

[RIAEvangelist]

I believe this ticket can be closed.

[haoqunjiang]

👍 Thanks! Really appreciate all the help