dash-licenses icon indicating copy to clipboard operation
dash-licenses copied to clipboard
verified publisher icon eclipse

Packages from NPM workspace reported as dependencies

Open tsmaeder opened this issue 1 year ago • 6 comments

I have a package.json with multiple workspaces in them, having for example a package at sample-plugins/sample-namespace/sample-plugin (see below). I do an npm install, producing a package-lock.json. When I run dash-licenses against the package-lock.json, the package at sample-plugins/sample-namespace/sample-plugin is reported as a dependency that needs to be IP-Checked. My expectation would be that packages that are part of the repo are not reported as dependencies. This is also what happens when I use yarn.lock for the same repo.

tsmaeder avatar Nov 22 '24 15:11 tsmaeder

package-lock.json

tsmaeder avatar Nov 22 '24 15:11 tsmaeder

When I change the name of the package to @theia/plugin-a in the package.json, the package is no longer reported as a dependency.

tsmaeder avatar Nov 22 '24 15:11 tsmaeder

Trying to parse the package-lock.json file from Java has been challenging. Not least because I just don't have the resources to really dig into and understand the format. The current implementation does recognise some content as "project content", but getting it completely right has been difficult. It's not clear to me, for example, how to handle wildcards in the workspace list (e.g., is packages/* intended to match both packages/terminal and packages/task/node_modules/async-mutex, or just the former?).

Regardless of whether or not we have an answer to that question, my thinking is that it's better to (re)focus the Eclipse Dash License Tool on what it does well and leverage NPM features to get the list of dependencies. That is, my thinking is that we should deprecate and eventually remove this functionality rather than try to maintain currency with a format that we lack resources to understand and maintain. Likewise for the yarn.lock file reader.

The npm ls command does, I believe, give us a proper listing of what's installed, so we have that. Any modules that get listed in error can be removed via CLI before piping to the licence tool.

It's handy (at least for the EMO) to be able to parse a package-lock.json file out of context, but I'm not aware of any tools that do that. @tsmaeder are you aware of any native NPM tools that can help here?

waynebeaton avatar Nov 22 '24 18:11 waynebeaton

@waynebeaton unfortunately I don't know...just converting our project to the wonderful world of npm myself.

tsmaeder avatar Nov 25 '24 09:11 tsmaeder

I've pushed a fix that I think might solve this problem. Can you have a look at your earliest convenience, please?

waynebeaton avatar Dec 20 '24 20:12 waynebeaton

I tried it on our workspace and it runs through without complainine.

tsmaeder avatar Dec 23 '24 09:12 tsmaeder

The problem is back in our builds. Are we getting an old version of dash-licenses may due to EF storage issues?

tsmaeder avatar May 06 '25 14:05 tsmaeder

Are we getting an old version of dash-licenses may due to EF storage issues?

It appears that the lastest SNAPSHOT build is dated November 12 2024. So this is indeed the likely cause.

The Eclipse Dash project's CI hasn't been restored yet, so I have no means of addressing this at the moment.

Related... I should add a -version option to the tool.

waynebeaton avatar May 06 '25 15:05 waynebeaton