cncf
[License Exception Request] [nextjs/sharp-libvips] [LGPL-3.0]
For which CNCF project are you requesting exceptions?
https://github.com/kagent-dev/kagent, though this applies to all CNCF projects
Are you an official maintainer of this project?
No
List of components requiring an exception
| Component | Upstream URL | Project Usage URL | License(s) | Purpose |
|---|---|---|---|---|
| sharp-lipvips | https://github.com/lovell/sharp | https://github.com/kagent-dev/kagent/blob/79f75775c1e6310dca9bccc287395456e7fc9d2a/ui/package.json#L41 | Sharp dynamically links with libvips under the terms of LGPL 3, which is compatible with Apache 2.0. The Nextjs framework includes Sharp as a dependency, in later versions. As outlined in https://github.com/kagent-dev/kagent/pull/1150, the kagent project is susceptible to a CVE by remaining on the earlier versions of NextJS | |
Are all of the components mandatory dependencies for the project to function as intended?
Yes
If no, please explain
No response
How will the components be included in or with the project's code and distributions?
- [ ] Incorporated code
- [ ] Vendored component
- [x] Build-time dependency
- [ ] Build and test tooling
- [ ] Install-time dependency
- [ ] Required upstream dependencies
- [ ] Other (please describe below)
If any of the above selections don't apply to all of the components listed in the table above, please explain
No response
Which of the following best describes how the components interact with the project's own code?
- [ ] Static linking: e.g., compiled together with project code into a single binary
- [x] Dynamic linking: e.g., compiled into a separate binary, running together with project code in a single address space at run-time
- [ ] Separate process: e.g., separate executable running in a different process space, interacting with project code only via mechanisms such as pipes, sockets, etc.
- [ ] Network interaction only: e.g., logically separated over a network and communicating only via mechanisms such as network API call, exchanging JSON data, etc.
- [ ] Other (please describe below)
If any of the above selections don't apply to all of the components listed in the table above, please explain
No response
Will any of the components be modified?
No
If yes, please specify which components will be modified, and briefly describe the purpose and nature of the modifications.
No response
Will the project be seeking to contribute the modifications back to the upstream project?
None
kagent, and any other projects using NextJS import next as a direct dependency: https://github.com/kagent-dev/kagent/blob/79f75775c1e6310dca9bccc287395456e7fc9d2a/ui/package.json#L41.
Due to a CVE in that version of Next (https://nextjs.org/blog/CVE-2025-66478), https://github.com/kagent-dev/kagent/pull/1150, we are attempting to update the version, though that is flagged by Snyk as a "LGPL-3.0 license " issue for "@img/[email protected]" -- this comes from the Next.js (package [email protected] and above).
Based on https://github.com/lovell/sharp/issues/4023#issuecomment-1984543764 and https://github.com/zoontek/react-native-bootsplash/pull/730#issuecomment-3497278270, it appears that this sharp-livips depedency is not in fact an issue.
However, we would appreciate clarification on this before we upgrade to a newer version of NextJS. If this is not a licensing issue, as we suspect, we would appreciate direction on how to avoid having Snyk report the issue.
Thanks!
Heya! Please do the version upgrade to keep shipping secure code :) That said this will still require us to go through the exception process so we're going to keep this issue open and may have questions soon. If you have any other concerns in the meantime feel free to toss it in here.
