-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Monorepository (lerna) issue #54
Comments
A lerna monorepo will have a node_modules folder at the root with everything, but also one in each subpackage with everything that package has. Transitive deps should be checked; so I’m a bit unclear on your issue - if you run licensee in the root it’d check the entire repo, as it should, and if you run it directly inside a subpackage it should check that entire subpackage. Are you seeing something different? |
If you hoist the dependencies it is not like this in our case because we are using the monorepo approach to force developer of each package to use the same libraries and the same version of them. If lerna discover multiple packages using the same libraries with the same versions of them it will hoist the dependencies. Also some transitive dependencies will be installed in a hoisted way if they are required by multiple libraries, at least this is what I see in our case. However we don't want to check if the libraries used by Angular for instance, have a proper license or not, but if this library is hoisted for some reason, I cannot use the parent to understand if it is required by one of my packages or by a 3rd party lib in order to check only the first case. Is it more clear my situation now? |
Why wouldn’t you want to check those? You have potential legal liability there, too - that angular chose to use them doesn’t inoculate you. |
Currently I am working on a mono-repository using lerna and its feature of hoisting dependencies (quoting from https://github.com/lerna/lerna/blob/master/doc/hoist.md):
As per my understanding,
licensee.js
is using theread-package-tree
library (by which it will look at thenode_modules
folder structure only) from npm to understand which dependencies to check and basically - in combination with the previous described behaviour - in my case is checking also the licenses of transitive dependencies.This in principles can be good but it should be configurable from my point of view with a flag/option (
depth
?) and the process should also relay not only on thenode_modules
structure but also - probably - on the lockfiles (bothnpm-shrinkwrap
andpackage-lock
) where the details about a dependency are more precise.Am I wrong?
The text was updated successfully, but these errors were encountered: