cri-o icon indicating copy to clipboard operation
cri-o copied to clipboard
verified publisher icon cri-o

filepath-securejoin v0.5.0 contains MPL-2.0 code which is not allowed per CNCF rules

Open Luap99 opened this issue 6 months ago • 3 comments

github.com/cyphar/filepath-securejoin v0.5.0 added MPL-2.0 code which is not allowed in the CNCF license rules by default and requires an exception, see https://github.com/cncf/foundation/issues/1154

We are holding the update in podman, buildah and in our storage library to avoid the bump for now, https://github.com/containers/container-libs/pull/359.

Looks like it was bumped in https://github.com/cri-o/cri-o/commit/cadcf4753319ebf59e2bbd83c2b8701395dc97ff here, you may need to revert it until it gets an exception.

Luap99 avatar Oct 20 '25 15:10 Luap99

Thank you for letting us know!

bitoku avatar Oct 21 '25 12:10 bitoku

The pinning PR was merged, but for tracking purpose, I'll keep it open.

bitoku avatar Oct 21 '25 15:10 bitoku

A friendly reminder that this issue had no activity for 30 days.

github-actions[bot] avatar Nov 21 '25 00:11 github-actions[bot]