dash-licenses marks dependencies as failing

[vince-fugnitto]

Description

We currently use dash-licenses in eclipse-theia and noticed that the tool reports errors in dependencies despite them not being changed. This happened 3 days this week so I thought I'd bring it to the project's attention (I had to submit automated reviews for these dependencies).

Is there a reason that the check passes one day, and not the next despite nothing on our side changing? Is it related to https://github.com/eclipse/dash-licenses/issues/81?

Additional Info:

Automated review requests this week:

• https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues?scope=all&state=all&author_username=vfugnitto

[vince-fugnitto]

It's happened again this morning, despite dependencies not being updated the check suddenly fails:

• https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/2498
• https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/2499
• https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/2500
• https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/2501

cc @waynebeaton is there a specific reason as to why this might happen?

[waynebeaton]

This is not related to issue #81 (that should only impact Java).

There's at least two different things happening.

My best guess with npm/npmjs/-/eslint-module-utils/2.7.3 and npm/npmjs/-/normalize-package-data/2.5.0 is that the ClearlyDefined scores changed (dropped), so they no longer pass based on ClearlyDefined and are flagged as requiring further review. This sort of thing is expected; though my expectation is that one average, we move more from restricted to approved than the other way around.

The other two had previously been reviewed and approved by us, so they should be okay. I'll investigate.