-
Notifications
You must be signed in to change notification settings - Fork 175
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace license.html with license.txt (for artifact scanners) #171
Comments
Thanks James. Once this patch needs to be released (1.0.6?) to maven, ring will need to update its dependencies to use it (1.8.3?). I know you've just released ring 1.8.2 to maven to fix the jetty vulnerability, so I'm really very sorry I didn't include a link to this before you got to it. Together though, ring will pass the artifact scanning and so will hiccup. |
Sorry, I'm not following. Why does Ring need an updated version of Hiccup? |
Hi James - Hiccup is a dependency of
|
Yes, I know Hiccup is a dependency of ring-devel. What I don't understand is why ring-devel needs an updated version of Hiccup. |
I do see your point, it's not essential. All licenses in all dependencies are checked by the artefact scanning tool I'm required to use to bring an external library into my org. Now, I can skip rejected dependencies, which is fine for now. Ultimately, a version of hiccup with a license will be necessary, because many libs (other than ring-devel) need it. It's the usual story of trying to transfer a home setup to a corporate setup, and it's of course nice to have a neat project.clj without lots of :exclusions. |
Why doesn't the artifact scanning tool look at the |
It's probably a little optimistic to expect a maven package scanner to parse edn in |
The license should also be in As for including a plaintext LICENSE file, that's what I have been doing. A few older repositories that predate the Github guidelines had HTML licenses, but I believe Hiccup might have been the last one. As for making the license scanner happy, can you add a dependency for Hiccup 2.0.0-alpha1? That should override 1.0.5 and provide the license you require. |
Yes, the 2.0.0-alpha1 version passed the scanning, thanks again for seeing to this. |
Hi James - I see you've done the above for many of your other projects, now I think I understand why - some artifact scanners can't handle the license.html and report that the library is missing a license. Do you think you could replace it? Thanks.
The text was updated successfully, but these errors were encountered: