Add a license check for npm modules #6552
Conversation
pento
added
the
[Type] Automated Testing
pento
added
the
[Status] Blocked
package.json
Outdated
| @@ -129,6 +129,7 @@ | |||
| "test": "npm run lint && npm run test-unit", | |||
| "test-php": "npm run lint-php && npm run test-unit-php", | |||
| "ci": "concurrently \"npm run lint && npm run build\" \"npm run test-unit:coverage-ci\"", | |||
| "license-check": "! npm ls --production --parseable | xargs -I {} jq --raw-output '.name + \" \" + ( .license // .licenses[0].type )' '{}/package.json' | grep -v -E '^.* .*(MIT|GPL-2|ISC|BSD|CC0).*$'", | |||
There was a problem hiding this comment.
npm scripts are usually meant to be portable. My gut feeling is that this command is way too 🔥 for Windows.
Since we only care about Travis CI catching these errors, maybe move it over into e.g. ./bin/check-license.sh?
There was a problem hiding this comment.
Having said that, it looks like most of our npm scripts aren't portable... 😅
There was a problem hiding this comment.
Pretty much every part of this command will fail on Windows. 🙃
I think it's a good idea to put it in a script: makes it easier to format the output, so there's extra information about why it failed.
There was a problem hiding this comment.
Since we only care about Travis CI catching these errors, maybe move it over into e.g.
./bin/check-license.sh?
Or alternatively ./bin/check-license.js where we could use cross-platform Node modules.
There's a few: https://www.npmjs.com/search?q=license%20check
I also swear I've seen some build integrations which support this as a feature, though I'm coming up short on links.
There was a problem hiding this comment.
Aha, here it is: https://fossa.io/
There was a problem hiding this comment.
"DETECTS HIDDEN GPL" is probably my favourite marketing line on that site. 😂
There was a problem hiding this comment.
Yes, we should use more Node for those scripts to make them cross-platform.
pento
force-pushed
the
add/npm-license-check
branch
from
9ee0b2e to
f0ff95e
Compare
|
Rebased, |
pento
force-pushed
the
add/npm-license-check
branch
from
f0ff95e to
e4a7cde
Compare
|
Related discussion on Slack: https://wordpress.slack.com/archives/C02QB2JS7/p1526628916000386. Short answer: yes and yes. See: #6792. |
|
I'd love to see this as a part of https://github.com/WordPress/packages/tree/master/packages/scripts it'd be a useful tool for WP plugin devs to implement (especially those that have their plugin in the wp repo). |
It would have to be ported to Node, but in general big yes to the idea 💯
|
|
Maybe something like this could be used instead? https://www.npmjs.com/package/license-checker It has an |
|
I agree that this would be useful a script. |
|
Ya I noticed the same thing with it, plus it didn't have a way of whitelisting verified scripts. One we've started giving a go at using in our packages is https://www.npmjs.com/package/js-green-licenses. While it only automatically handles SPDX format licenses, it does allow for exclusions/whitelisting and also utilizes a config file (which is a bit easier to manage). I configured one of our travis jobs to use it. |
|
@pento, can you double check if It would be great to have all those tools working with both Gutenberg and packages exactly the same. |
|
If I'm not mistaken
|
|
ya they definitely aren't compatible. I only mentioned it because I wasn't sure whether non-compatible licenses were still okay for dev tools only. |
|
Closing in favour of #8808. |
Description
As discussed in #6508, any modules we include must have a GPL2 compatible license. This PR adds a script and Travis check, to ensure that all modules are licensed correctly.
This PR can't be merged until the remaining issues associated with #6508 are resolved.
How has this been tested?
npm run check-licensesshould exit with an error.ALLOWED_LICENSESarray to add the failing licenses.