Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feature request: list license for deps #2825

Closed
nathanhruby opened this issue Sep 3, 2020 · 13 comments
Closed

feature request: list license for deps #2825

nathanhruby opened this issue Sep 3, 2020 · 13 comments
Milestone

Comments

@nathanhruby
Copy link

feature request: list license for deps

pnpm version:

5.5.10

Expected behavior:

We often need to examine the full list of licenses for everything in our dependency chain. It would be great if pnpm had the ability to record licenses as part of the lockfile metadata and output that info in in pnpm list output, either as an additional arg, or as part of the json output

Additional information:

  • node -v prints: v12.14.1
  • Windows, OS X, or Linux?: OS X
@zkochan
Copy link
Member

zkochan commented Sep 3, 2020

I am not sure about adding a new field to the lockfile but we can probably support listing the licenses via some command. Or if there is an existing project that does that, maybe we can ask for pnpm support.

@nathanhruby
Copy link
Author

For sure, I just happened to be looking at the lockfile and it seemed like a good idea at the time. Getting the data is more of a concern than where it comes from.

davglass/license-checker#197 is a request to support pnpm in the tool we were using with lerna+npm.. Maybe a better question is if I can run that at the root of the virtual store?

@Sytten
Copy link
Contributor

Sytten commented Jul 29, 2022

We also happen to need this to generate a list of dependency and their license

EDIT: I made a fix but honestly the setup is too much of PITA to contribute back, I can't get the test to even pass without my changes so I can't write the tests for the changes. Hopefully the devs can take it up from here.

Sytten added a commit to caido/action-pnpm that referenced this issue Jul 29, 2022
@zkochan
Copy link
Member

zkochan commented Jul 29, 2022

There is an ongoing PR: #4851

@Sytten
Copy link
Contributor

Sytten commented Jul 29, 2022

License compliance is another thing IMO, in most cases you do just want to have the author and license plain to automate attribution when you already know you are compliant.

@woifes
Copy link

woifes commented Aug 16, 2022

I am glad that this issue is on the table since the topic gets more and more important. I transitionend to pnpm because it seemed to me, that pnpm has the biggest heart for monorepos. Therefore please dont forget them here aswell.
There exist some packages like "license-checker" but they only dig through the node_modules folder. If I use npm workspaces I have the issue that all same dependencies get thrown in one big pot (node_modules folder).
I think listing all licenses is the first step. This can get complex too if packages are dual/multi licensed or do not use the license property in the package.json properly. License-Checker has alternative ways to determine the license and has a way of labeling this if it was necessary.
Other tools for the compliance can filter/whiltelist this list for further needs.

@Sytten
Copy link
Contributor

Sytten commented Oct 20, 2022

Considering the PR is stalled, how big of a change would it be to incorporate my changes?
You have the commit above, it's really just adding the author and license to the JSON.

@zkochan
Copy link
Member

zkochan commented Oct 20, 2022

Make a PR

zkochan pushed a commit that referenced this issue Oct 24, 2022
weyert pushed a commit to weyert/pnpm that referenced this issue Oct 30, 2022
Introduces a new command `licenses`-command which allows to list
the licenses of the packages

refs pnpm#2825
weyert pushed a commit to weyert/pnpm that referenced this issue Nov 1, 2022
Introduces a new command `licenses`-command which allows to list
the licenses of the packages

refs pnpm#2825
@LucaColonnello
Copy link

LucaColonnello commented Nov 15, 2022

Would love to see this feature merged in pnpm, as it's currently a blocker for us (Trainline) to use pnpm.
Many enterprises would be strict on license checking to avoid incurring in legal issues, so this is required.

Unfortunately there does not seem to be another solution here, at least as far as I know.
How can we help get this PR through @weyert @zkochan ?

Also, I would like to thank you for working on this, it's going to be incredibly helpful!

@Sytten
Copy link
Contributor

Sytten commented Nov 15, 2022

The license is now included in the list command. That is what we use at Caido to ensure compliance. With the json flag it is easy to parse.

@LucaColonnello
Copy link

@Sytten has this just been released now? I tried running
pnpm list --long --json using pnpm v7.16 and I cannot see the license, but I might be looking at the wrong thing 🤔

@zkochan
Copy link
Member

zkochan commented Nov 15, 2022

There is an ongoing PR: #5567

zkochan pushed a commit to weyert/pnpm that referenced this issue Nov 17, 2022
Introduces a new command `licenses`-command which allows to list
the licenses of the packages

refs pnpm#2825
zkochan pushed a commit to weyert/pnpm that referenced this issue Nov 17, 2022
Introduces a new command `licenses`-command which allows to list
the licenses of the packages

refs pnpm#2825
@zkochan zkochan added this to the v7.17 milestone Nov 20, 2022
@weyert
Copy link
Contributor

weyert commented Nov 22, 2022

Would love to see this feature merged in pnpm, as it's currently a blocker for us (Trainline) to use pnpm. Many enterprises would be strict on license checking to avoid incurring in legal issues, so this is required.

Unfortunately there does not seem to be another solution here, at least as far as I know. How can we help get this PR through @weyert @zkochan ?

Also, I would like to thank you for working on this, it's going to be incredibly helpful!

Yes. I am in the same boat needed this functionality to be able to use it at work. We are using Gitlab at work and for the license scanning they use pivotal’s license finder. I will finish my PR over there now that the new version with the command is included.

Let me know, how the command works for you, :)

@LucaColonnello Any chance that Trainline uses Gitlab too 😇

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants