Licensing issues with big amount of production dependencies
See original GitHub issueSummary
It’s quite hard to find out which Dependencies are actually bundled and shipped with a Gatsby App.
I have the issue, that some (nested) dependencies of gatsby-cli
seem to be published under licenses that might be critical for a commercial app (Copyleft).
I’m aware that Gatsby is a generator. But I’m wondering if it’s possible to differ between some kind of "Gatsby Core"
(shipped as part of a bundled App) and gatsby-cli
. Both published as separate packages. That would allow to list gatsby-cli
as devDependency. The current gatsby
package could still bundle "Gatsby Core"
and gatsby-cli
to prevent breaking anything.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:3
- Comments:7 (1 by maintainers)
Top Results From Across the Web
Should you care about the license? (TL;DR: yes!) - Medium
Typically dependency licenses should be more permissive or the same level of permissive as your package license. For example, if your package ...
Read more >Open source license compliance and dependencies - Synopsys
Open source packages licensed under a permissive license can include dependencies licensed under the GPL, the Lesser General Public License ...
Read more >How I Analyzed All NPM Dependency Licenses in One Go
Using license-checker to find NPM dependency licenses ... However, one of the biggest challenges is analyzing the licenses of hundreds of packages or ......
Read more >Everything You Need to Know About Dependency Vendoring
Dependency vendoring helps reduce security risks and avoid version ... and licensing issues that might arise when using a dependency.
Read more >Challenges of Tracking and Documenting Open Source ...
Software vendors need to manage the dependencies of the open source components used in their products. Without this management, license ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Any updates @wardpeet ?
Hi @wardpeet!
Yes, you are right. Exactly these two parts (development server and build server) actually belong together. But
gatsby-link
is neither needed by the development server, nor by the build server, but part of the production bundle (output from development server and build server).gatsby-link
andgatsby-cli
are not on the same level / type, but both are listed as dependencies ofgatsby
. To check for license compliance one need to know exactly which dependencies are eventually part of a production bundle and shipped to the customers.I see three types of dependencies in the
gatsby
package:devDeps
) to develop gatsby itself further, likeeslint
,…deps
) needed to develop a gatsby site and create a production bundle, likeautoprefixer
,gatsby-cli
,@typescript/
,dotenv
,…deps
) bundled as part of a gatsby app (which is created using the „build dependencies“), likegatsby-link
,@reach/router
,…To separate these „Build Dependencies“ and „Production Dependencies“ I suggest to introduce a new package. To stay compatible the „Build dependencies“ can simply depend on the „Production dependencies“. Unfortunately I don’t know the internals, which dependencies the gatsby build process injects into the production bundle (like
core-js
).-> QUESTION: Can you point me to the specific files? Then I can play around and possibly suggest a concrete solution.
Random Examples of
Dependencies
gatsby
>gatsby-cli
>gatsby-recipes
>react-icons
: Comes with a lot of different licenses, because of the included iconsgatsby
>gatsby-cli
>gatsby-recipes
>urql
>wonka
: Contains references to GPL licenses (/esy.lock/**)gatsby
>webpack-dev-server
>selfsigned
>node-forge
: Comes with a lot of different licenses (/LICENSE), like GPLThere are similar issues with some plugins, like
gatsby-plugin-sharp
: >imagemin-pngquant
>pngquant
: GPL. I guess for these issues I have to check each plugin individually and move that to thedevDeps
, if nothing gets bundled.Sourcecode-map-explorer
Sourcecode-map-explorer is a great idea, but I guess by scanning the bundle we cannot be 100% sure to identify all bundled dependencies. Simply because they are bundled. The normal way to scan licenses is to traverse though the lock files (
yarn.lock
orpackage-json.lock
) and then scan every single line of the dependency (deep scan). Unfortunately just scanning the license, which is declared in thepackage.json
is not enough. Sometimes a dependency is dual licensed, or the declared package license is different from a license comment in the header of a single file deep in the package.