ua-parser-js license is not allowed

[hayescode]

My company uses Apiiro for security vulnerability checks and ua-parser-js 0.7.37 is throwing critical security errors due to its license type AGPL.

It looks like this was introduced to the pnpm-lock.yaml in version 1.1.0

Is there another library that can be used instead of ua-parser-js?

[hayescode]

From GPT4o:

The GNU Affero General Public License (AGPL) is not inherently a security concern in terms of software vulnerabilities or threats. However, it can raise concerns in a business context, particularly related to compliance and control over software distribution. Here are a few reasons why AGPL might be considered a concern in certain scenarios:

Source Code Disclosure: AGPL requires that the source code be made available to any network users of the AGPL-licensed software. This can be a concern for businesses that modify AGPL software and do not wish to disclose their modifications to the public.

Compliance Complexity: Ensuring compliance with the AGPL can be more complex compared to other licenses. This is because it extends the requirement of sharing source code modifications to users who interact with the software over a network.

Legal and Operational Risks: If a company uses AGPL software and fails to comply with its terms, it could face legal repercussions. Additionally, there might be operational risks if dependencies or critical software systems are under AGPL, which might require unexpected sharing of proprietary enhancements.

Integration with Proprietary Software: Integrating AGPL software with proprietary systems can be risky. If not managed carefully, there could be a legal argument that the proprietary software must also be released under the AGPL, which could force a company to reveal source code they intend to keep private.

These concerns are primarily related to legal and compliance aspects rather than direct software security vulnerabilities.

[wfjt]

AFAIK if it's used "at a distance" you're not derived work, but the definition is so ambiguous that the official stance from Apache is that any GPL licensed code is not compatible with Apache 2.0. The other way around is possible.

As someone considering building a larger solution around Chainlit this is a major issue and means Chainlit cannot be used as-is. Either I've to fork and replace the library or drop Chainlit if this is not fixed.

[hayescode]

@willydouhard @tpatel can anything be done? It seems like this library comes from fbjs.

[hayescode]

@willydouhard @tpatel @constantinidan This dependency is coming from fbjs. From the GitHub Repo:

Note: If you are consuming the code here and you are not also a Facebook project, be prepared for a bad time. APIs may appear or disappear and we may not follow semver strictly, though we will do our best to. This library is being published with our use cases in mind and is not necessarily meant to be consumed by the broader public. In order for us to move fast and ship projects like React and Relay, we've made the decision to not support everybody. We probably won't take your feature requests unless they align with our needs. There will be overlap in functionality here and in other open source projects.

This is a major concern for many of us, and you as well I would think. This seems risky on several fronts. I'm not sure why we have this Facebook fbjs library here? For the ua-parser-js specifically, GPT4 gave these alternative recommendations:

Bowser:

• Description: A small, fast, and efficient user-agent string parser.
• GitHub: Bowser
• License: MIT License

useragent:

• Description: A comprehensive user-agent parser for Node.js.
• GitHub: useragent
• License: MIT License

detect-browser:

• Description: A lightweight library to detect browser and version.
• GitHub: detect-browser
• License: MIT License

platform.js:

• Description: A library that provides a platform detection for client-side and server-side environments.
• GitHub: platform.js
• License: MIT License

Please let us know ASAP if this can/will be fixed.