Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address caniuse-lite CC-BY 4.0 license incompatibility ⚖️ #520

Closed
2 tasks done
JamieSlome opened this issue Apr 8, 2024 · 2 comments · Fixed by #521
Closed
2 tasks done

Address caniuse-lite CC-BY 4.0 license incompatibility ⚖️ #520

JamieSlome opened this issue Apr 8, 2024 · 2 comments · Fixed by #521
Assignees
@maoo @JamieSlome
Labels
help wanted Extra attention is needed question Further information is requested

Comments

@JamieSlome
Copy link
Member

JamieSlome commented Apr 8, 2024
edited
Loading

The Dependency Review Action has flagged the usage of caniuse-lite@1.0.30001600 as the license of the dependency is not included in our allow-licenses for the Dependency Review Action (as configured in /.github/workflows).

To address this we need to decide whether this child dependency usage and its license terms has any implication to the usage of Apache-2.0 and how to address the warning raised by the GitHub Action.

Tasks
Beta Give feedback

@maoo - really keen to close this one out 👍 🍰
@JamieSlome JamieSlome added help wanted Extra attention is needed question Further information is requested labels Apr 8, 2024
@JamieSlome JamieSlome mentioned this issue Apr 8, 2024
Merged
@maoo
Copy link
Member

maoo commented Apr 8, 2024

@JamieSlome - sorry I missed today's call, and apologies for going through this again, but are we sure this library is coming from a runtime dependency? Because if not, IMO the easiest fix is to remove development from https://github.com/finos/git-proxy/actions/runs/8572074375/workflow?pr=482#L20

The caniuse-lite dependency comes from browserlist, which is pulled by npm/yarn for build purposes; as such, if you don't want to exclude all devDependencies, you could simply ignore browserlist and caniuse-lite with this syntax: actions/dependency-review-action#423 (comment)

@JamieSlome
Copy link
Member Author

@maoo - no problem at all 👍

I tried removing the development flag from the GitHub Action but the issue was still reported.

I will open a pull request which ignores caniuse-lite using the recommended syntax 🤝

@JamieSlome JamieSlome mentioned this issue Apr 9, 2024
Merged
@JamieSlome JamieSlome linked a pull request Apr 9, 2024 that will close this issue
Add caniuse-lite to allow-dependencies-licenses for Dependency Review #521
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maoo maoo

@JamieSlome JamieSlome

Labels
help wanted Extra attention is needed question Further information is requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add caniuse-lite to allow-dependencies-licenses for Dependency Review finos/git-proxy
2 participants
@maoo @JamieSlome