License problem with node-pre-gyp

[jinwoo]

grpc depends on node-pre-gyp and it has a transitive dependency, jsonify, whose license is "Public Domain". "Public Domain" is not a valid license for Google.

This issue blocks googleapis/google-cloud-node#2785.

We need to either get an explicit approval for that package or remove the dependency.

The dependency chain is like this:

grpc@1.7.3 -> node-pre-gyp@0.6.39 -> request@2.81.0 -> har-validator@4.2.1 -> ajv@4.11.8 -> json-stable-stringify@1.0.1 -> jsonify@0.0.0

[jinwoo]

@ofrobots

[jinwoo]

I made a PR in the node-pre-gyp package as a resolution to this: mapbox/node-pre-gyp#342

But that makes tests fail with Node 0.10.

[murgatroid99]

Why is this now a problem?

[jinwoo]

@murgatroid99 I'm sorry I wasn't clear. It's just that we (Node team) started to automate the license checking in our repos using our new tool and detected this problem. I don't know since when we had this problem.

[jinwoo]

@murgatroid99 @ofrobots found a good alternative to node-pre-gyp: https://www.npmjs.com/package/prebuild

[murgatroid99]

That looks promising, but I can't yet tell if it's a complete drop-in replacement. One potential issue I see is that at install time users can pass arguments through to node-pre-gyp to control which binary is downloaded, and it looks like those arguments are different for prebuild-install, and the argument to determine which OS to download for is not mentioned. I think that could break some people's install scripts, so it might be considered a breaking change.

[jinwoo]

mapbox/node-pre-gyp#342 has been fixed by mapbox/node-pre-gyp#347. I think we're fine now. Closing.