Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Licensing issues with big amount of production dependencies
See original GitHub issueSummary
It’s quite hard to find out which Dependencies are actually bundled and shipped with a Gatsby App.
I have the issue, that some (nested) dependencies of gatsby-cli seem to be published under licenses that might be critical for a commercial app (Copyleft).
I’m aware that Gatsby is a generator. But I’m wondering if it’s possible to differ between some kind of "Gatsby Core" (shipped as part of a bundled App) and gatsby-cli. Both published as separate packages. That would allow to list gatsby-cli as devDependency. The current gatsby package could still bundle "Gatsby Core" and gatsby-cli to prevent breaking anything.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:3
- Comments:7 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Any updates @wardpeet ?
Hi @wardpeet!
Yes, you are right. Exactly these two parts (development server and build server) actually belong together. But
gatsby-linkis neither needed by the development server, nor by the build server, but part of the production bundle (output from development server and build server).gatsby-linkandgatsby-cliare not on the same level / type, but both are listed as dependencies ofgatsby. To check for license compliance one need to know exactly which dependencies are eventually part of a production bundle and shipped to the customers.I see three types of dependencies in the
gatsbypackage:devDeps) to develop gatsby itself further, likeeslint,…deps) needed to develop a gatsby site and create a production bundle, likeautoprefixer,gatsby-cli,@typescript/,dotenv,…deps) bundled as part of a gatsby app (which is created using the „build dependencies“), likegatsby-link,@reach/router,…To separate these „Build Dependencies“ and „Production Dependencies“ I suggest to introduce a new package. To stay compatible the „Build dependencies“ can simply depend on the „Production dependencies“. Unfortunately I don’t know the internals, which dependencies the gatsby build process injects into the production bundle (like
core-js).-> QUESTION: Can you point me to the specific files? Then I can play around and possibly suggest a concrete solution.
Random Examples of
Dependenciesgatsby>gatsby-cli>gatsby-recipes>react-icons: Comes with a lot of different licenses, because of the included iconsgatsby>gatsby-cli>gatsby-recipes>urql>wonka: Contains references to GPL licenses (/esy.lock/**)gatsby>webpack-dev-server>selfsigned>node-forge: Comes with a lot of different licenses (/LICENSE), like GPLThere are similar issues with some plugins, like
gatsby-plugin-sharp: >imagemin-pngquant>pngquant: GPL. I guess for these issues I have to check each plugin individually and move that to thedevDeps, if nothing gets bundled.Sourcecode-map-explorer
Sourcecode-map-explorer is a great idea, but I guess by scanning the bundle we cannot be 100% sure to identify all bundled dependencies. Simply because they are bundled. The normal way to scan licenses is to traverse though the lock files (
yarn.lockorpackage-json.lock) and then scan every single line of the dependency (deep scan). Unfortunately just scanning the license, which is declared in thepackage.jsonis not enough. Sometimes a dependency is dual licensed, or the declared package license is different from a license comment in the header of a single file deep in the package.