firebase-js-sdk icon indicating copy to clipboard operation
firebase-js-sdk copied to clipboard
verified publisher icon firebase

Some (sub) package.json do not list the licences which lead to tools like syft report unknown licence

Open cjolif opened this issue 2 months ago • 4 comments

Operating System

Any

Environment (if applicable)

Any

Firebase SDK Version

12.4

Firebase SDK Product(s)

AI

Project Tooling

Not relevant

Detailed Problem Description

Some (sub) package.json do not list the licences which lead to tools like syft report unknown licence

Includes:

https://github.com/firebase/firebase-js-sdk/blob/main/packages/messaging/sw/package.json https://github.com/firebase/firebase-js-sdk/blob/main/packages/auth/cordova/package.json https://github.com/firebase/firebase-js-sdk/blob/main/packages/auth/web-extension/package.json https://github.com/firebase/firebase-js-sdk/blob/main/packages/auth/internal/package.json https://github.com/firebase/firebase-js-sdk/blob/main/packages/database-compat/standalone/package.json https://github.com/firebase/firebase-js-sdk/blob/main/packages/firestore/lite/package.json https://github.com/firebase/firebase-js-sdk/blob/main/packages/webchannel-wrapper/bloom-blob/package.json https://github.com/firebase/firebase-js-sdk/blob/main/packages/webchannel-wrapper/webchannel-blob/package.json

Steps and code to reproduce issue

Non relevant.

cjolif avatar Oct 16 '25 15:10 cjolif

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

google-oss-bot avatar Oct 16 '25 15:10 google-oss-bot

Hi @cjolif, thanks for reporting this. Let me check what we can do for this issue or bring someone here that can provide more context about it. I’ll update this thread if I have any information to share.

jbalidiong avatar Oct 17 '25 12:10 jbalidiong

Those packages aren't published NPM packages, just placeholders representing different entry points for legacy bundlers, so we didn't add license fields to them. We figured the license of the actual NPM package that encompasses those sub packages should count.

It shouldn't be too hard to add the license field to these packages though, just to make tools like Syft work, so we can add that task to our backlog.

Can I ask if this problem is blocking your development or build, or just leading to annoying errors in the Syft report?

hsubox76 avatar Oct 17 '25 15:10 hsubox76

Thanks a lot of the update.

Can I ask if this problem is blocking your development or build, or just leading to annoying errors in the Syft report?

Just annoying errors I have to manually override, but not strictly speaking blocking (I guess the tool recursively goes through the packages, that's why it encounters them even if subpackages).

cjolif avatar Oct 17 '25 16:10 cjolif