LicenseFinder icon indicating copy to clipboard operation
LicenseFinder copied to clipboard
verified publisher icon pivotal

Missing licenses for npm packages

Open stdedos opened this issue 2 years ago • 6 comments 

Dependencies that need approval:
acorn-import-assertions, 1.9.0, unknown
cookie-signature, 1.0.6, unknown
import-in-the-middle, 1.4.1, unknown
tr46, 0.0.3, unknown
There are unapproved licenses. Run the license finder locally in your repository:

e.g https://github.com/xtuc/acorn-import-attributes/blob/main/package.json#L23 has proper linkage for licenses, I don't understand what would be the issue.

stdedos avatar Jul 17 '23 08:07 stdedos

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

cf-gitbot avatar Jul 17 '23 08:07 cf-gitbot

This is also a regression from 6.15.0, where only

Dependencies that need approval:
acorn-import-assertions, 1.9.0, unknown
There are unapproved licenses. Run the license finder locally in your repository:

is an issue (and also the Dependencies that need approval: is not colored in v7, which is nice to tell the interesting text apart from the wall of CI text)

stdedos avatar Jul 17 '23 09:07 stdedos

Hey @stdedos Thanks for raising this. At the beginning of the year, we did have an update to support later versions of NPM. I wonder if something was missed. FYI the PR is here: https://github.com/pivotal/LicenseFinder/pull/963. Which npm version was this in? The parsing may just need a tweak.

xtreme-shane-lattanzio avatar Jul 21 '23 21:07 xtreme-shane-lattanzio 

$ npm -v
9.6.7

In npm list --json --long --all I've found no "relevant output" for acorn-import-assertions (even though it exists in https://github.com/xtuc/acorn-import-attributes/blob/main/package.json) - but the others (I tried only cookie-signature) appear normally.

Instead of "playing around", would you consider testing it? Just add

@opentelemetry/[email protected] (or @opentelemetry/[email protected]?)
[email protected]
@azure/[email protected]
@azure/[email protected]

as dependencies, and see what the test leads you with.

I'd do it myself, but I have no ruby/testbed to DIY

stdedos avatar Jul 22 '23 09:07 stdedos

@xtreme-shane-lattanzio (as you don't have Discussions active):

When is https://github.com/pivotal/LicenseFinder planning to make a release? https://github.com/pivotal/LicenseFinder/compare/v7.1.0...master is already growing a lot.

"Maybe" there is something on master that would help (or make things worse).

Your latest release https://github.com/pivotal/LicenseFinder/releases/tag/v7.1.0 is coming up on 9mo old 😕

stdedos avatar Aug 15 '23 08:08 stdedos

I have the same issue for these libraries. Is license finder not checking the package json license and only going for the LICENSE file?

As acorn-import-assertions doesnt have a LICENSE file, just a MIT license in package.json

henriksjostrom avatar Aug 21 '23 06:08 henriksjostrom