MIT License and Stylint dependency

[jabby]

Hello,

First of all, I need to give you some context. I worked on Eclipse Wild Web Developer and I tried to include some vuejs support in it. See the current PR about my work.
During the process, I created a Contribution Questionnary (CQ) at Eclipse Foundation. The goal was to validate the needed dependencies on all legal aspect (IP process). IP validation failed because one of transitive dependencies is under GPL-3.0 License.

I reviewed the answer from the legal team. It seems that stylint is under GPL-3.0 License. I don't know if you knew about this so I am here to share this information with you.

I'm not an expert about OSS licenses. I'm only concern about the compliance between stylus-supremacy license and stylint license.

[ThisIsManta]

Hello jabby, thanks for sharing this with me. What would you suggest the next steps for Stylus Supremacy, please?

[jabby]

Like I said I'm not an expert in OSS licenses.
I start digging and I found the following links.

• https://opensource.stackexchange.com/a/1641
• https://opensource.stackexchange.com/questions/6062/using-gpl-library-with-mit-licensed-code
• https://opensource.stackexchange.com/questions/2338/can-i-use-gpl-libraries-in-a-closed-source-project-if-only-the-output-is-distrib
• https://opensource.stackexchange.com/questions/7467/copyright-of-mit-licenced-libraries-usage-within-gpl-licensed-code

My advice is to looking for other advices from GPL-3 community.

@mickaelistria do you have any advice on this? Or do you know an expert about licensing node packages?

[mickaelistria]

@jabby As you filed a CQ for it, I think you can get in touch with Eclipse IP team about possible remediation from this one. But my understanding is that if Stylus consume GPL software from API perspective, then it cannot really claim being MIT and all the downstream stack is actually kind of illegal from license POV (it should be GPL, or at least the part of it that rely on GPL have to be GPL and so on on a contaminating way).
So I think the most proper solutions are

• Stylint changes license to something more persmissive and MIT compatible, or
• Stylus stops using Stylint (to remain fully MIT), or
• Vue.js stop using Stylus (to remain fully MIT)

I would recommend the issue to be brought on each one of this layer.

[octref]

From @SimenB:

I'd be happy to move to MIT or something, but I'm not sure of the legal implications of doing that. Is it just a matter of changing?

SimenB/stylint#415 (comment)

[ThisIsManta]

Alright. Glad to hear that! I think it's a no-operation for me then.

[octref]

@ThisIsManta But as it is right now, the library is still under GPL and you would be forced to license your code as GPL as well.

[Shinigami92]

Please update stylint to at least v2.0.0 so that micromatch sub-sub-sub dependency's audit is fixed with version greater braces-v2.3.1
https://www.npmjs.com/advisories/786

This will affect vue-language-server > stylus-supremacy > stylint > chokidar > anymatch > micromatch > braces

ThisIsManta/stylus-supremacy > package.json#L47

• SimenB/stylint > v2.0.0 > package.json#L48
• paulmillr/chokidar > 2.0.0 > package.json#L48
• micromatch/anymatch > 2.0.0 > package.json#L39
• micromatch/micromatch > 3.1.4 > package.json#L41

[ThisIsManta]

Stylint as a dependency will be bumped to v2.0.0 in Stylus Supremacy v2.14.2 or newer.

[octref]

@ThisIsManta But you are still depending on Stylint 2.0.0, which is still GPL, so this issue isn't resolved yet.

[ThisIsManta]

Hmm, what should I do now? Would you enlighten me?

[octref]

@ThisIsManta Sorry I didn't mean it's your fault. It's just that stylint is still published with GPL, so updating it doesn't help.