license-to-fail icon indicating copy to clipboard operation
license-to-fail copied to clipboard
verified publisher icon behance

allowedPackages bypasses detection of licences not in allowedLicenses

Open akloeber opened this issue 7 years ago • 0 comments

Any entry in allowedPackages makes the warning for the custom license in package @progress/[email protected] disappear.

Reproduction: Create the following package.json:

{
  "name": "lic",
  "version": "1.0.0",
  "dependencies": {
    "@progress/kendo-schematics": "0.2.5",
    "colors": "0.5.1",
    "license-to-fail": "3.0.0"
  },
  "license-to-fail": {
    "allowedPackages": [],
    "allowedLicenses": [
      "MIT",
      "Apache-2.0",
      "BSD",
      "ISC",
      "WTFPL",
      "Unlicense",
      "CC0-1.0",
      "CC-BY-3.0",
      "CC-BY-4.0"
    ]
  }
}

Running npm install && ./node_modules/.bin/license-to-fail gives the following output:

INDIRECT DEP - @progress/[email protected] SEE LICENSE in LICENSE.md: https://github.com/telerik/kendo-schematics
INDIRECT DEP - [email protected] UNKNOWN: https://github.com/Marak/colors.js

This is fine as [email protected] does not have any license information attached and kendo-schematics refers to a custom license file in its package.json.

But after adding an exclusion for package colors the warning for kendo-schematics also vanishes:

...
    "allowedPackages": [
      {
        "name": "colors",
        "reason": "checked manually: license is MIT, see https://github.com/Marak/colors.js/blob/master/LICENSE"
      }
    ],
...

Furthermore, if name is set to foo only colors is reported. So any entry in allowedPackages makes the warnings for the kendo-schematics license disappear.

akloeber avatar Jan 21 '19 15:01 akloeber