Skip to content

Add support for resolving npm dependencies' licenses#48

Merged
kezhenxu94 merged 2 commits intoapache:mainfrom
zooltd:feature/npm
Jul 25, 2021
Merged

Add support for resolving npm dependencies' licenses#48
kezhenxu94 merged 2 commits intoapache:mainfrom
zooltd:feature/npm

Conversation

@zooltd
Copy link
Copy Markdown
Contributor

@zooltd zooltd commented Jul 23, 2021

  1. Parse the project package.json file to gather the required packages
  2. Run command 'npm install' to install or update the required node packages (can skip)
  3. Walk through each package's root directory to resolve licenses
    • STEP 1: Try to find and parse the package.json file to capture the license field
    • STEP 2: Try to find the license file to identify the license

@wu-sheng
Copy link
Copy Markdown
Member

wu-sheng commented Jul 24, 2021

You should update the doc to show how to use this.

@wu-sheng wu-sheng requested a review from kezhenxu94 July 24, 2021 00:36
@wu-sheng wu-sheng added this to the 0.2.0 milestone Jul 24, 2021
kezhenxu94
kezhenxu94 reviewed Jul 25, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@kezhenxu94 kezhenxu94 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a very good start point to resolve dependencies’ licenses in NPM projects.

This PR only resolves the direct dependencies’ licenses, will you continue to resolve their transitive dependencies in next PR?

@zooltd
Copy link
Copy Markdown
Contributor Author

zooltd commented Jul 25, 2021

This is a very good start point to resolve dependencies’ licenses in NPM projects.

This PR only resolves the direct dependencies’ licenses, will you continue to resolve their transitive dependencies in next PR?

Glad to take it. Also, I'm planning to resolve dev-dependencies' licenses.

@wu-sheng
Copy link
Copy Markdown
Member

wu-sheng commented Jul 25, 2021

Notice, dev-dependency is not binary level or source code level dependency.
They mostly are considered as a convenient tools to enhance dev stage.
I could recommend to process transitive dependency. A.k.a, dependencies of dependencies. Those are true runtime dependencies too.

@wu-sheng
Copy link
Copy Markdown
Member

wu-sheng commented Jul 25, 2021

Dev-tool should not include commercial or unknown licenses. But even GPL and AGPL are fine to use, that is what I mean different.

@zooltd
Copy link
Copy Markdown
Contributor Author

zooltd commented Jul 25, 2021

Notice, dev-dependency is not binary level or source code level dependency.
They mostly are considered as a convenient tools to enhance dev stage.
I could recommend to process transitive dependency. A.k.a, dependencies of dependencies. Those are true runtime dependencies too.

Got it. I will work on this feature in next PR.

@kezhenxu94 kezhenxu94 merged commit d6e232b into apache:main Jul 25, 2021
@kezhenxu94 kezhenxu94 mentioned this pull request Aug 6, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kezhenxu94 kezhenxu94 kezhenxu94 approved these changes

Assignees

No one assigned

Labels

feature

Projects

None yet

Milestone

0.2.0

Development

Successfully merging this pull request may close these issues.

3 participants

@zooltd @wu-sheng @kezhenxu94