Risk: Current dependencies being used by Mojaloop seem to include some viral licenses on key components (Kafka, Hapi, etc).

[NicoDuvenage]

Request:

Link to license report that was executed by @rajiv313 : https://mojaloop.slack.com/files/U87PH4C69/FCSGKAF60/screen_shot_2018-09-13_at_11.15.43.png

Artifacts:

• Artifact to consider [@contributor]

Decision(s):

• License scan has been completed, across all node projects, and it doesn't look too serious.

Follow-up:

• Remove the deprecated projects from the license file, and reevaluate any of the dependencies that have unknown or AGPL licenses
• Add license scanning CI step to all projects (see Add license scanning and npm audit into the CI/CD pipeline project#801)

Dependencies:

• If Applicable

Accountability:

• Owner:

Notes:

[lewisdaly]

As a part of #711, I implemented this license-scanner tool, which allows us to scan dependencies across projects with Fossa cli or exporting to a single .xlsx file locally.

Our license scan results showed only a few minor instances of GPL licenses. See attached xlsx file for the summary.

license-summary.xlsx

I'm also working on #801, which will introduce the license-scanning step into our CI workflow, and fail CI checks when new disallowed licenses are being introduced into our dependencies.

[lewisdaly]

I think we can close this ticket. We have other follow up tickets:

• Submit Updates to Packages with ambiguous licenses project#912
• License-scan followup: Remove dependencies, and scan production node_modules only project#986

As far as the DA goes on this topic, I think we have the appropriate measures in place to no longer introduce GPL and other unwanted licenses into the codebase.