web icon indicating copy to clipboard operation
web copied to clipboard

Published 20 hours ago verified publisher icon sensu

Automate audit of dependency licenses

Open 10xjs opened this issue 6 years ago • 4 comments

What

Check that any dependency that is bundled and shipped as part of the web-ui within the sensu-go binary is correctly licensed for such use.

How

It is possible to analyze the licences of all resolved npm dependencies with the yarn licenses list command. Analyzing and validating the JSON output of this as a CI build step is a viable approach.

One potential concern is that not all npm dependencies end up as part of the bundle, any dependency that is strictly a test or build tool can potentially be excluded from the license audit.

Determining which dependencies do or do not contribute to the bundle is a difficult challenge. Build tools like webpack and babel inject small runtimes into the bundle and need to be considered in the license audit. This only a problem to worry about if any license issues arise in the first place.

10xjs avatar May 10 '18 21:05 10xjs

This should be a recurring, automated task.

annaplotkin avatar Aug 13 '18 18:08 annaplotkin

We need an 'Allow' list. Start with Apache and MIT.

annaplotkin avatar Aug 13 '18 18:08 annaplotkin

This could easily be bundled into yarn audit and run on CI.

jamesdphillips avatar Apr 09 '19 00:04 jamesdphillips

James to check on this.

annaplotkin avatar Jul 12 '19 17:07 annaplotkin