This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Licensing issues with big amount of production dependencies #27232
Comments
Can we please have an update on this issue? For most projects, we list |
it's going to be tricky as Gatsby is both a development server and build server so what would the package gatsby-core have? Would it only have the files that are used in production builds? Would it help to give you a list of what we have today in production builds? A good indicator is using source-map-explorer and the hello world starter |
Hi @wardpeet! Yes, you are right. Exactly these two parts (development server and build server) actually belong together.
I see three types of dependencies in the
To separate these „Build Dependencies“ and „Production Dependencies“ I suggest to introduce a new package. To stay compatible the „Build dependencies“ can simply depend on the „Production dependencies“. -> QUESTION: Can you point me to the specific files? Then I can play around and possibly suggest a concrete solution. Random Examples of
|
@Purii At least for the I'm aware that some tools erroneously detect these licences and since publishing these lockfiles isn't necessary anymore, I've removed them in the latest patch release, which you can upgrade to. For comparison: On a side note, IANAL, but using tools like |
@kitten Thanks for that note and really awesome to patch your package! Some of the scanners ("most accurate ones") scan the whole repository instead of only the files published to npm. I'm about to dig deeper on why they're doing that. But scanning the whole source code instead of only package.json or LICENSE file makes total sense to me (see my comment above). Point is with libs like |
Any updates @wardpeet ? |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Summary
It's quite hard to find out which Dependencies are actually bundled and shipped with a Gatsby App.
I have the issue, that some (nested) dependencies of
gatsby-cli
seem to be published under licenses that might be critical for a commercial app (Copyleft).I'm aware that Gatsby is a generator. But I'm wondering if it's possible to differ between some kind of
"Gatsby Core"
(shipped as part of a bundled App) andgatsby-cli
. Both published as separate packages. That would allow to listgatsby-cli
as devDependency. The currentgatsby
package could still bundle"Gatsby Core"
andgatsby-cli
to prevent breaking anything.The text was updated successfully, but these errors were encountered: