Check dependency Licenses

[pmarsh-scottlogic]

Make sure all licenses of dependencies, including transitive dependencies (dependencies of dependencies), are approved by SL and compatible with our MIT license (e.g. if a dependency has the copy-left license then we cannot use it under the MIT license). There are smart ways to do this.

Going forward, we need to continue to be careful about licensing when introducing new dependencies.

[heatherlogan-scottlogic]

Checking Licence compatibility (summaries by npx license-checker --summary)

Frontend

├─ MIT: 473 (approved) ├─ ISC: 46 (approved) ├─ Apache-2.0: 13 (approved) ├─ BSD-2-Clause: 12 (approved) ├─ BSD-3-Clause: 7 (approved) ├─ Apache*: 1 (approved - package is @cyntler/react-doc-viewer with apache 2.0) ├─ Python-2.0: 1 (approved) ├─ MPL-2.0: 1 (caution) ├─ CC-BY-4.0: 1 (?) ├─ CC0-1.0: 1 (caution) ├─ (MIT AND Zlib): 1 (approved) ├─ Custom: https://vitejs.dev/: 1 (approved - "Vite is released under the MIT license" - https://github.com/vitejs/vite/blob/main/packages/vite/LICENSE.md) ├─ 0BSD: 1 (approved) └─ (MIT OR CC0-1.0): 1 (approved i think as this means we can choose the licence so fine under MIT (?))

CAUTION 4 libraries n frontend

• MPL-2.0 axe-core@4.7.0 (dependency from eslint-plugin-jsx-a11y@6.8.0)
• CC0-1.0 language-subtag-registry@0.3.22 (dependency from eslint-plugin-jsx-a11y@6.8.0)
• CC-BY-4.0: caniuse-lite@1.0.30001561 (dependency from @vitejs/plugin-react@4.1.1)
• (MIT OR CC0-1.0) type-fest@0.20.2 (eslint@8.53.0)

---

Backend

├─ MIT: 519 (approved) ├─ ISC: 43 (approved) ├─ BSD-3-Clause: 23 (approved) ├─ Apache-2.0: 12 (approved) ├─ BSD-2-Clause: 11 (approved) ├─ (MIT OR CC0-1.0): 2 (approved i think as this means we can choose the licence so fine under MIT (?)) ├─ Python-2.0: 1 (approved) ├─ CC0-1.0: 1 (caution) ├─ CC-BY-4.0: 1 (?) └─ Custom: https://platform.openai.com/account/api-keys: 1 (our licence)

2 libraries caution/? in backend

• CC0-1.0 binary-search@1.3.6 (dependency from langchain@0.0.113)

• CC-BY-4.0 caniuse-lite@1.0.30001561 (dependency from ts-jest@29.1.1)

• MIT OR CC0-1.0 type-fest@0.20.2 (dependency from eslint@8.53.0) type-fest@0.21.3 (dependency from ts-jest@29.1.1)

[heatherlogan-scottlogic]

CC-BY-4.0 LICENCE https://creativecommons.org/licenses/by/4.0/deed.en

• think this should be ok as we're not using/adapting the code and need to give credit/acknowledgements - to follow the licence (will double check to see if this approved list)

[gsproston-scottlogic]

CC-BY-4.0 LICENCE https://creativecommons.org/licenses/by/4.0/deed.en

• this should be ok as we're not using/adapting the code and need to give credit/acknowledgements - to follow the licence (will double check to see if this approved list)

Similar for CC0-1.0 https://creativecommons.org/publicdomain/zero/1.0/deed.en In fact, looks like 1.0 is a less strict version of 4.0. Looks like it's even ok to use commercially, so open source shouldn't be an issue.

Only problem is noted here - "It is not OSI approved and explicitly states that patent rights are not granted, and hence constitutes a risk."

[gsproston-scottlogic]

MPL seems a bit more complicated. Generally it's a bit stricter than Apache in the sense that it needs modifications to be details (we're not making any modifications). However, it does describe itself as an Open Source license.

Also noted here - "A copyleft licence"

The maintainers of the a11y package don't seem too bothered about it, and I do wonder if going open source counts as "distributing". We're not really including any of the axe-core code when going open source, we're just pointing to it. That would be different if we were bundling up our app in any way...

[ColinEberhardt]

Thanks for doing such a detailed analysis. My read of this is:

• MPL-2.0, a form of copyleft licence - this mandates that any changes made to axe-core are also made available under the MPL licence. But it does not appear to prohibit us from licensing our project under a more permissive licence. In other words, it doesn't have quite the same 'viral' nature as GPL.
• CC0-1.0, CC-BY-4.0, these licences tend to be used for written works and imagery rather than code. Given that they are quite permissive, I don't see a risk here.

All looks good to me 👍