Monorepository (lerna) issue

[marmaak]

Currently I am working on a mono-repository using lerna and its feature of hoisting dependencies (quoting from https://github.com/lerna/lerna/blob/master/doc/hoist.md):

When an overall project is divided into more than one NPM package, this organizational improvement generally comes with a cost: the various packages often have many duplicate dependencies in their package.json files, and as a result hundreds or thousands of duplicated files in various node_modules directories. By making it easier to manage a project comprised of many NPM packages, Lerna can inadvertently exacerbate this problem.

Fortunately, Lerna also offers a feature to improve the situation - Lerna can reduce the time and space requirements for numerous copies of packages in development and build environments, by "hoisting" dependencies up to the topmost, Lerna-project-level node_modules directory instead.

As per my understanding, licensee.js is using the read-package-tree library (by which it will look at the node_modules folder structure only) from npm to understand which dependencies to check and basically - in combination with the previous described behaviour - in my case is checking also the licenses of transitive dependencies.

This in principles can be good but it should be configurable from my point of view with a flag/option (depth?) and the process should also relay not only on the node_modules structure but also - probably - on the lockfiles (both npm-shrinkwrap and package-lock) where the details about a dependency are more precise.

Am I wrong?

[ljharb]

A lerna monorepo will have a node_modules folder at the root with everything, but also one in each subpackage with everything that package has. Transitive deps should be checked; so I’m a bit unclear on your issue - if you run licensee in the root it’d check the entire repo, as it should, and if you run it directly inside a subpackage it should check that entire subpackage.

Are you seeing something different?

[marmaak]

If you hoist the dependencies it is not like this in our case because we are using the monorepo approach to force developer of each package to use the same libraries and the same version of them. If lerna discover multiple packages using the same libraries with the same versions of them it will hoist the dependencies. Also some transitive dependencies will be installed in a hoisted way if they are required by multiple libraries, at least this is what I see in our case.

However we don't want to check if the libraries used by Angular for instance, have a proper license or not, but if this library is hoisted for some reason, I cannot use the parent to understand if it is required by one of my packages or by a 3rd party lib in order to check only the first case.

Is it more clear my situation now?

[ljharb]

Why wouldn’t you want to check those? You have potential legal liability there, too - that angular chose to use them doesn’t inoculate you.