pm2

pm2 copied to clipboard

Can the owners please clarify their interpretation of the AGPL?

Considering using the pm2 runtime to manage a nodejs app (pm2 installed on the server as a totally separate package and not included in the package.json of the nodejs app). Not using the analytics api. Only process manager.

Would the nodejs app managed by pm2 have to be open source?

There's a similar request dating back to 2015 that has not been clarified: https://github.com/Unitech/pm2/issues/1196

@Unitech Would love a response here. Not trying to tell you guys what it should be. Just want to know how you interpret it. Whatever your take is, it's cool with us.

What @coffeebite said. You made a legal choice, please clarify intent and implications to the community. You don't actually want confusion in the Node ecosystem about this, right? The fact that users care should make you pretty happy actually that your choice of license is being taken seriously. I'm really surprised no answer has been provided yet.

For other licenses contact us. can't be more clear than that! I don't like it, but I guess they went with it anyway.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

This is still an unresolved issue.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@Unitech Could you please weigh in on this issue? I have to actively recommend not using pm2 due to uncertainty how AGPL applies when using this software as designed. Is the intent for any public-facing Node software being run by pm2 to be required to be released under AGPL as well?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Bump

Not using pm2 because of this.

As @nlfiedler said... No response... No use...

bump

This is sad considering the amount of forks and contributors pm2 has. Not to mention how specific the license language is towards all forms of linking including over network apis. In other words if you run a node.js app on it once they basically have the right to demand your code.

Most projects that have a choice of AGPL or commercial license entertain some level of confusion, likely to entice users to purchase a commercial license. There have been a lot of discussion on the topic, including by the FSF. I suggest looking up some of the AGPL related discussions there https://opensource.stackexchange.com like these that I contributed:

• https://opensource.stackexchange.com/questions/4452/agpl-in-practice/4463
• https://opensource.stackexchange.com/questions/4691/java-and-agpl-3-how-far-does-license-extend-into-web-app/4692#4692

You can also diff the AGPL text and the GPL text like I did here: the key change is the Section 13. https://gist.github.com/pombredanne/da4666f12b39703d4ee1c29808a2a65f/revisions#diff-6eb5aa2af122281945d8d42cc285a04af319c927fec0b2e03ce47987c39985a2L552

In short, I like to treat unmodified AGPL code the same way as I treat as GPL unmodified code because then the section 13 does not apply. Of course any explicit alternative statement by the authors may change the way I see this, but here I have not seen such a statement.

It's worth noting that in 2023, the use of pm2 of any version shows as a high severity license issue in security tools like Snyk. This affects project scoring heavily. Because AGPL is being used by a package it is also flagged as an issue without any remediation path since no upgrade will fix the license (currently).

Reccomend #5143

bump - nearly 40k stars on GH and no answer from maintainers: can @Unitech please clarify ? Thanks from the community!

They’re clearly aren’t interested in addressing this. Very disappointing.

It is unbelievable that this is still not addressed or cleared up after so long. I think that the license should not be a problem, but lack of clarifications makes me cautious.

We stopped using PM2 about 5 years ago due to this doubt not being addressed. We had to migrate several projects and it was costly. Today someone asked if they could use pm2 in another project; seeing this the answer will again be NO.

Most projects that have a choice of AGPL or commercial license entertain some level of confusion, likely to entice users to purchase a commercial license. There have been a lot of discussion on the topic, including by the FSF. I suggest looking up some of the AGPL related discussions there https://opensource.stackexchange.com like these that I contributed:

• https://opensource.stackexchange.com/questions/4452/agpl-in-practice/4463
• https://opensource.stackexchange.com/questions/4691/java-and-agpl-3-how-far-does-license-extend-into-web-app/4692#4692

You can also diff the AGPL text and the GPL text like I did here: the key change is the Section 13. https://gist.github.com/pombredanne/da4666f12b39703d4ee1c29808a2a65f/revisions#diff-6eb5aa2af122281945d8d42cc285a04af319c927fec0b2e03ce47987c39985a2L552

In short, I like to treat unmodified AGPL code the same way as I treat as GPL unmodified code because then the section 13 does not apply. Of course any explicit alternative statement by the authors may change the way I see this, but here I have not seen such a statement.

I seriously believe AGPL should not be used in this case. It confuses a lot of issues. Even if I personally get a commercial license I can't use any other library that touches pm2 without verifying that they too have a commercial license. My license does not extend to their project. This isn't just a matter of if I'm personally willing/able to pay Unitech for their works. Just one dependency being out of line with the AGPL can being the whole house of cards down.

What is the best alternative to pm2 that you have found? I'm thinking that the only way is either Linux systemd or running in a docker container. Do you have any suggestions?