globalize icon indicating copy to clipboard operation
globalize copied to clipboard

Published 20 hours ago verified publisher icon globalizejs

Remove GPL License from upstream packages

Open michaelfarrell76 opened this issue 4 years ago • 2 comments

When adding a downstream dependency strong-soap I was getting a warning because adm-zip had GPL code and this fails our license check preventing us from using this package. Since then, the GPL code has been removed but the package tree needs to be updated. I've traced this update and I believe that cldr-data is the next package that needs to be updated in this process, followed by globalize

Screen Shot 2020-06-03 at 11 48 43 AM
  • At the root, adm-zip is the issue. This package has been updated to remove GPL code and any version above 0.4.12 no longer has this warning.
  • cldr-data-downloader is the next culprit any looking at version 0.3.5 now has adm-zip at 0.4.13 and so this package is no longer an issue
  • Next level is this cldr-data which currently pings to 0.3.x of cldr-data, so it is unclear to me whether this package has been published with a more recent version with the bumped adm-zip. I've opened an issue in the cldr-data package asking them to bump this version in case it has not already been bumped.

Proposal

  • Potentially use an explicit version of cldr-data-downloader to 0.3.5
  • I am uncertain where the standard cldr-data package is being included in this package.json, but wherever that comes from, bumping that version after cldr-data fixes this license issue would be needed
  • Publish a new patch or minor version of this module with the updated versions that no longer have GPL license code

michaelfarrell76 avatar Jun 03 '20 19:06 michaelfarrell76

@michaelfarrell76 As I can tell from https://github.com/globalizejs/globalize/blob/master/package.json#L76, cldr-data-downloader is dev dependency, which won't be installed/used at runtime. Your scanning tool probably didn't understand that.

raymondfeng avatar Jun 03 '20 20:06 raymondfeng

hmmm im pretty sure that fossa is only scanning dependencies and not devDependencies. Ive seen other most packages from regular dependencies -> devDependencies and this goes away.

this could be coming up because the downstream packages are pinned to an earlier version of globalize where cldr-data ended up as a regular dependency.

I was unable to determine why the fossa output in that image points from globalize-> cldr-data since i did not find this anywhere in the package.json. was there a recent change that potentially removed this dep?

michaelfarrell76 avatar Jun 03 '20 20:06 michaelfarrell76