chore(ci): add dependency review and license check for production dependencies #1897
Conversation
|
OK! glob is already having a dep containing blue oak. |
There's globby which may be good as a replacement... |
|
A PR to replace one usage of glob is here: probot/octokit-plugin-config#244. This seems to be the only thing that currently requires glob as a dependency if we exclude devDependencies of probot, and it a mistake there. |
|
You beat me to it. Wanted to also propose a PR for that ;). |
|
@AaronDewes |
|
@gr2m I can't merge for some reason, can you have a look what this "test" is? |
|
I guess there is a setting which makes it mandatory to have a job "test" in the repo settings. renamed test_codecov back to test |
|
Did not seem to work, but it could be a bug in GitHub. |
Head branch was pushed to by a user without write access
|
🎉 This PR is included in version 13.0.0-beta.8 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This is what we do in fastify
We use the license-checker and not the option of dependency review action, because the license-checker was more reliable in the past.
We have to be careful, as e.g. @isaacs is moving to the BlueOak license for his packages and isaacs controles alot of dependencies e.g.
glob. Blue Oak is not OSI approved and could result in license issues for projects dependending on probot, if we are not careful to detect them in the production dependencies. So if e.g. isaacs decides that he wants to move from MIT to BlueOak for glob, we need to detect that.