-
Notifications
You must be signed in to change notification settings - Fork 925
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(ci): add dependency review and license check for production dependencies #1897
Conversation
OK! glob is already having a dep containing blue oak. |
There's globby which may be good as a replacement... |
A PR to replace one usage of glob is here: probot/octokit-plugin-config#244. This seems to be the only thing that currently requires glob as a dependency if we exclude devDependencies of probot, and it a mistake there. |
You beat me to it. Wanted to also propose a PR for that ;). |
@AaronDewes |
@gr2m I can't merge for some reason, can you have a look what this "test" is? |
I guess there is a setting which makes it mandatory to have a job "test" in the repo settings. renamed test_codecov back to test |
Did not seem to work, but it could be a bug in GitHub. |
Head branch was pushed to by a user without write access
🎉 This PR is included in version 13.0.0-beta.8 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This is what we do in fastify
We use the license-checker and not the option of dependency review action, because the license-checker was more reliable in the past.
We have to be careful, as e.g. @isaacs is moving to the BlueOak license for his packages and isaacs controles alot of dependencies e.g.
glob
. Blue Oak is not OSI approved and could result in license issues for projects dependending on probot, if we are not careful to detect them in the production dependencies. So if e.g. isaacs decides that he wants to move from MIT to BlueOak for glob, we need to detect that.