Missing license in child dependency cli-color

[kbradl16]

json-diff uses an old version of cli-color that does not have a license. According to cli-color's npm and github pages, it uses the ISC License, BUT unfortunately that is just for v1.3.0 and later.

An MIT License was added to v0.2.2 in this commit medikoo/cli-color@d28882b

json-diff is using the unlicensed version of the cli-color package v0.1.7

Why do I care?

I want to use this module! but I am not allowed to use this module without it being appropriately licensed. Since this is a dependency I am blocked from installing aws-cdk module with "json-diff": "^0.5.4" because it cannot be completed without also installing the dependency json-diff module with "cli-color": "~0.1.6" which has a dependency on cli-color@0.1.7 which DOES NOT have a license.

How to solve?

1. Remove json-diff
2. Update json-diff to use newer cli-color (at least to v0.2.2 where MIT license was added) which has a license. (Seems unlikely since it seems to be inactive) -- json-diff issue
3. Fork json-diff and make the update yourself.
4. replace json-diff with one of these (only a quick google search for alternatives):
   • jdd
   • diff-json
   • json-schema-diff
   • @broofa/jsondiff

[NGL321]

Hi @kbradl16,

It appears you are correct. In my previous search, I only looked at the first commits and latest of each repo, and so I missed the gap in licensing.
I apologize for the confusion.

This is something we can look into fixing, but it may take some time because we do depend on json-diff pretty heavily for the spec-diff tool. I will update this issue after we have a chance to discuss this further.

[nmussy]

rfc6902 also looks like a good candidate (maintained, typed, well covered).

[kbradl16]

Any updates here? Did the aws-cdk move to @aws-cdk/core? If so I think this can close

[NGL321]

Hey @kbradl16,

Sorry this has gone so long without addressing.

Any updates here? Did the aws-cdk move to @aws-cdk/core? If so I think this can close

@aws-cdk/core is the main cdk package now, but from what I can tell, jsii-color is still a dependency. If this meets the criteria you need (tbh licensing is not my forte), go ahead and close this, but if you still need the change I will bring this up to the dev team again.

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[fschaeffler]

Due to company policies, we have a strict set of licenses that are allowed to be used. The license of cli-color is specified as Custom: https://github.com/medikoo/clock. In addition to that, the repository https://github.com/medikoo/clock is also depreciated and not maintained anymore.

Unfortunately, this breaks quite some build processes for us as we make use of license checks with our CI/CD pipeline.

PERMITTED_LICENSES="0BSD;AFL-3.0;Apache-2.0;Apache 2.0;Artistic-2.0;BSD-2-Clause;BSD-3-Clause-Clear;BSD-3-Clause;BSD-4-Clause;BSL-1.0;CC-BY-4.0;CC-BY-SA-4.0;CC0-1.0;ECL-2.0;ISC;MIT;MS-PL;NCSA;OFL-1.1;PostgreSQL;Unlicense;UPL-1.0;WTFPL;Zlib"
npx license-checker --production --excludePrivatePackage --json --out used-licenses.json --onlyAllow "$PERMITTED_LICENSES"