filepath-securejoin icon indicating copy to clipboard operation
filepath-securejoin copied to clipboard
verified publisher icon cyphar

v0.5.0 cannot be easily used in CNCF projects due to the license

Open AkihiroSuda opened this issue 3 months ago • 2 comments

https://github.com/cncf/foundation/blob/main/policies-guidance/allowed-third-party-license-policy.md

@cyphar MPL-2.0 is not listed in the CNCF Allowlist, and requesting an exceptional approval will probably take months.

Any chance to revert https://github.com/cyphar/filepath-securejoin/commit/91e340c849f393aea772c8f3df9efa3286e983cd ? Dual licensing might be an option too.

AkihiroSuda avatar Sep 26 '25 00:09 AkihiroSuda

https://github.com/cncf/foundation/issues/1074 was already opened back in July when #58 was being discussed. The only major feature addition in 0.5.0 was the procfs stuff, if you don't need to use it you can also delay updating until the CNCF approves the request.

cyphar avatar Sep 26 '25 01:09 cyphar

https://github.com/cncf/foundation/issues/1074 was merged but apparently it only applies to Kubernetes (I asked it would be a blanket approval but it seems there was some miscommunication). I've opened a separate request in https://github.com/cncf/foundation/issues/1154.

cyphar avatar Oct 20 '25 10:10 cyphar