Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Automatically audit dependency licenses #70

Merged
merged 2 commits into from
Nov 26, 2018
Merged

Conversation

kemitchell
Copy link
Contributor

This PR adds an npm script and Travis CI script line to check dependencies' licenses against a configured acceptable-license rule. I've also added dependencies that lack proper license metadata to a whitelist, after checking their terms by hand.

Please note that I've only whitelisted the current versions of dependencies without valid license metadata. If we bump those deps, and the new versions don't have valid metadata, either, the license check will fail until the new versions are added to the whitelist. There are only four of those deps at present.

cc @iarna

@kemitchell kemitchell requested a review from a team as a code owner September 14, 2018 17:17
@kemitchell
Copy link
Contributor Author

Here's the Travis CI log where the output starts:

https://travis-ci.com/npm/cli/jobs/145843764#L1245

@kemitchell
Copy link
Contributor Author

I believe this is ready to go.

@annunah
Copy link

annunah commented Oct 26, 2018

Lets try:)

Copy link
Contributor

@zkat zkat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean if our lawyer thinks this is a good idea, then I think this is a good idea. Let's roll with it and see.

@zkat zkat changed the base branch from latest to release-next November 13, 2018 14:58
@zkat zkat added the semver:patch semver patch level for changes label Nov 13, 2018
@kemitchell
Copy link
Contributor Author

This is basically like having bumpers at a bowling alley. I trust y'all are checking licenses of deps as you bring them in, but this will help catch anything that slips past.

@zkat zkat merged commit 27217da into npm:release-next Nov 26, 2018
@kemitchell kemitchell deleted the licensee branch November 26, 2018 16:17
zkat pushed a commit that referenced this pull request Dec 10, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
semver:patch semver patch level for changes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants