Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Browserify depends on unlicensed code #1828

Closed
14 tasks done
kylef opened this issue Apr 10, 2018 · 13 comments · Fixed by #1930
Closed
14 tasks done

Browserify depends on unlicensed code #1828

kylef opened this issue Apr 10, 2018 · 13 comments · Fixed by #1930

Comments

@kylef
Copy link

kylef commented Apr 10, 2018
edited by goto-bus-stop

The browserify package depends on various other packages which do not have valid licenses. This makes it hard to install browserify as in doing so you'd be making possibly illegal copies of the dependencies. Some declare that they follow the MIT license in package.json, but as they do not include a copyright notice in the NPM package it would be against the license to make a copy (such as running npm install -g browserify).

I think in most of the cases, the linked issues and pull requests can be resolved to create new releases of the dependencies so I've filled this bug to track in browserify. However in the case of jsonify it seems that it may not be so clear and perhaps the best course of action would be to find an alternative solution.

I've listed all of the dependencies that I spotted which do not have a valid license and opened issues or PRs on the respective packages:

  • jsonify@0.0.0 (Public Domain) - missing full license text
  • browserify-cipher@1.0.0 (MIT) - missing full license text
    • License added to repo in add license  browserify-cipher#2 but the NPM package does not yet contain a license file and therefore NPM release is not compliant with the license as it is a copy which does not contain the copyright notice.
  • browserify-des@1.0.0 (MIT) - missing full license text
    • License added to repo in add license  browserify-des#2 but the NPM package does not yet contain a license file and therefore NPM release is not compliant with the license as it is a copy which does not contain the copyright notice.
  • buffer-from@1.0.0 (MIT) - missing copyright notice, missing full license text
  • create-ecdh@4.0.0 (MIT) - missing full license text
    • License added to repo in LICENSE file createECDH#10 but the NPM package does not yet contain a license file and therefore NPM release is not compliant with the license as it is a copy which does not contain the copyright notice.
  • create-hash@1.1.3 (MIT) - missing copyright notice, missing full license text
    • License added to repo in but the NPM package does not yet contain a license file and therefore NPM release is not compliant with the license as it is a copy which does not contain the copyright notice.
  • create-hmac@1.1.6 (MIT) - missing copyright notice, missing full license text
    • License added to repo in but the NPM package does not yet contain a license file and therefore NPM release is not compliant with the license as it is a copy which does not contain the copyright notice.
  • diffie-hellman@5.0.2 (MIT) - missing full license text
    • Created a PR to add a license file Add missing license diffie-hellman#29
    • The current NPM package does not yet contain a license file and therefore NPM release is not compliant with the license as it is a copy which does not contain the copyright notice.
  • indexof@0.0.1 (UNKNOWN) - missing copyright notice
  • minimalistic-assert@1.0.0 (ISC) - missing copyright notice, missing full license text
  • parse-asn1@5.1.0 (ISC) - missing copyright notice, missing full license text
    • License added to repo in Add LICENSE parse-asn1#27 but the NPM package does not yet contain a license file and therefore NPM release is not compliant with the license as it is a copy which does not contain the copyright notice.
  • path-parse@1.0.5 (MIT) - missing full license text
  • public-encrypt@4.0.0 (MIT) - missing copyright notice, missing full license text
    • Open PR to add license Add missing license and author publicEncrypt#14
    • The current NPM package does not yet contain a license file and therefore NPM release is not compliant with the license as it is a copy which does not contain the copyright notice.
  • component-indexof@0.0.3 (UNKNOWN) - missing license type, copyright notice
    • Open Issue at NPM release for 0.0.3 and master changes component/indexof#6
    • The current NPM package does not yet contain a license file and therefore NPM release is not compliant with the license as it is a copy which does not contain the copyright notice. The repository does indeed contain the license but is unreleased.
@ljharb
Copy link
Member

ljharb commented Apr 10, 2018

If path-parse is only included via resolve, that'll likely be removed in v2 of resolve in favor of a different dependency.

@dcousens
Copy link
Member

@calvinmetcalf licenses! 😃

@goto-bus-stop
Copy link
Member

goto-bus-stop commented Apr 11, 2018
edited

indexof is replaced by component-indexof, which includes a license, in vm-browserify@1, so we only need to bump that dependency #1829

@goto-bus-stop
Copy link
Member

There are open PRs to remove jsonify:

@calvinmetcalf
Copy link
Contributor

ok all of the cryptobrowserify ones are done except create-hash which I think has a breaking change snuck into master so I almost certaily don't want to publish that one as is

@calvinmetcalf
Copy link
Contributor

pull for create hash is up browserify/createHash#22

@calvinmetcalf
Copy link
Contributor

ok done on my end (as far as I know)

@goto-bus-stop
Copy link
Member

published browserify@16.2 which removes the indexof dep.

@kylef
Copy link
Author

kylef commented Apr 12, 2018

Thanks for the work here all, I really appreciate it! Especially to @calvinmetcalf for releasing various libraries with LICENSE so quickly.

published browserify@16.2 which removes the indexof dep.

There seems to be two indexof NPM packages, indexof and component-indexof which are both published from same source https://github.com/component/indexof/ according to the package.json of the NPM packages. browserify@16.2 removes indexof but also introduces it back via component-indexof so this one is still problematic.

@goto-bus-stop
Copy link
Member

huh, i coulda sworn component-indexof had a license added. you're right, it does not 🙈

@goto-bus-stop
Copy link
Member

goto-bus-stop commented Apr 13, 2018
edited

just added a hand written polyfill for indexOf to vm-browserify@1.0.1, so component-indexof is no longer in use. (Probably makes sense to just remove the polyfills entirely, most other browserify builtins haven't supported IE8 for a while.)

fahrradflucht added a commit to fahrradflucht/node-libs-browser that referenced this issue Apr 27, 2018
@fahrradflucht
chore: upgrade vm-browserify to 1.0.1
1b24f34 
vm-browserify up until 1.0.1 dependy upon unlicensed code. [0][1] This means
node-libs-browser does too. This resolves the issue by upgrading it. All
changes in between where non-breaking. [2]

[0] browserify/browserify#1828
[1] component/indexof#6
[2] https://github.com/browserify/vm-browserify/releases
@fahrradflucht fahrradflucht mentioned this issue Apr 27, 2018
Merged
@Jukilum
Copy link

Jukilum commented Jul 27, 2018

It looks like buffer-from has had a license added.

@goto-bus-stop
Copy link
Member

path-parse@1.0.6 includes a license file.

@goto-bus-stop goto-bus-stop mentioned this issue Oct 29, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use shasum module that does not depend on unlicensed code browserify/browserify
6 participants
@kylef @ljharb @dcousens @goto-bus-stop @calvinmetcalf @Jukilum