Task Summary
Sub-task of #4688.
Extend bin/licensing/check_binary_deps.py with a new --ignore-transitive-version flag that relaxes the PR-time check so benign transitive version bumps no longer block merges, while still failing on anything that needs legal review.
Direct vs. transitive classification. Load the set of direct dependencies for the current ecosystem from the primary requirement file(s):
jar → SBT files (build.sbt, any project/*.sbt, project/Dependencies.scala if present)npm → frontend/package.json (dependencies + devDependencies)agent-npm → agent-service/package.jsonpython → operator/requirements.txt and top-level requirements.txt
Anything bundled that is not named in the primary file is treated as transitive.
Behavior with --ignore-transitive-version.
- Missing libraries (declared in
LICENSE-binary but not bundled, or bundled but not declared) → still fail, regardless of direct/transitive — a brand-new dep must never silently skip legal review.
- Version mismatch on a direct dep → still fail.
- Version mismatch on a transitive dep → print as informational (
DRIFT (transitive)), do not affect exit code.
Default behavior (no flag). Exact-match behavior is preserved (current behavior).
CI integration. Update .github/workflows/build.yml to pass --ignore-transitive-version on the four check_binary_deps.py invocations (frontend npm ~L112, jar ~L225, python ~L300, agent-npm ~L361).
Acceptance.
- A PR whose only license-check delta is a transitive-version bump (e.g. a
tifffile release) passes the license check.
- A PR that adds a brand-new direct or transitive dependency still fails until
LICENSE-binary is updated.
- A PR that bumps a direct dependency to a new version still fails until
LICENSE-binary is updated.
- Running the script without
--ignore-transitive-version reproduces the strict pre-existing behavior.
Task Type
Task Summary
Sub-task of #4688.
Extend
bin/licensing/check_binary_deps.pywith a new--ignore-transitive-versionflag that relaxes the PR-time check so benign transitive version bumps no longer block merges, while still failing on anything that needs legal review.Direct vs. transitive classification. Load the set of direct dependencies for the current ecosystem from the primary requirement file(s):
jar→ SBT files (build.sbt, anyproject/*.sbt,project/Dependencies.scalaif present)npm→frontend/package.json(dependencies+devDependencies)agent-npm→agent-service/package.jsonpython→operator/requirements.txtand top-levelrequirements.txtAnything bundled that is not named in the primary file is treated as transitive.
Behavior with
--ignore-transitive-version.LICENSE-binarybut not bundled, or bundled but not declared) → still fail, regardless of direct/transitive — a brand-new dep must never silently skip legal review.DRIFT (transitive)), do not affect exit code.Default behavior (no flag). Exact-match behavior is preserved (current behavior).
CI integration. Update
.github/workflows/build.ymlto pass--ignore-transitive-versionon the fourcheck_binary_deps.pyinvocations (frontend npm ~L112, jar ~L225, python ~L300, agent-npm ~L361).Acceptance.
tifffilerelease) passes the license check.LICENSE-binaryis updated.LICENSE-binaryis updated.--ignore-transitive-versionreproduces the strict pre-existing behavior.Task Type