Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatically audit dependency licenses #70

Merged
merged 2 commits into from Nov 26, 2018
Merged

Automatically audit dependency licenses #70

merged 2 commits into from Nov 26, 2018

Conversation

kemitchell
Copy link
Contributor

This PR adds an npm script and Travis CI script line to check dependencies' licenses against a configured acceptable-license rule. I've also added dependencies that lack proper license metadata to a whitelist, after checking their terms by hand.

Please note that I've only whitelisted the current versions of dependencies without valid license metadata. If we bump those deps, and the new versions don't have valid metadata, either, the license check will fail until the new versions are added to the whitelist. There are only four of those deps at present.

cc @iarna

@kemitchell kemitchell requested a review from a team as a code owner September 14, 2018 17:17
@kemitchell
Copy link
Contributor Author

Here's the Travis CI log where the output starts:

https://travis-ci.com/npm/cli/jobs/145843764#L1245

@kemitchell
Copy link
Contributor Author

I believe this is ready to go.

@annunah
Copy link

annunah commented Oct 26, 2018

Lets try:)

zkat
zkat approved these changes Nov 13, 2018
View reviewed changes
Copy link
Contributor

@zkat zkat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean if our lawyer thinks this is a good idea, then I think this is a good idea. Let's roll with it and see.

@zkat zkat changed the base branch from latest to release-next November 13, 2018 14:58
@zkat zkat added the semver:patch semver patch level for changes label Nov 13, 2018
@kemitchell
Copy link
Contributor Author

This is basically like having bumpers at a bowling alley. I trust y'all are checking licenses of deps as you bring them in, but this will help catch anything that slips past.

@zkat zkat merged commit 27217da into npm:release-next Nov 26, 2018
@kemitchell kemitchell deleted the licensee branch November 26, 2018 16:17
zkat pushed a commit that referenced this pull request Dec 10, 2018
@kemitchell @zkat
test: Automatically audit dependency licenses (#70)
8bf1c10 
PR-URL: #70
Credit: @kemitchell
Reviewed-By: @zkat
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zkat zkat zkat approved these changes

@annunah annunah annunah approved these changes

Assignees
No one assigned
Labels
semver:patch semver patch level for changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@kemitchell @annunah @zkat