GitHub has a tool called licensed which helps us to verify that the node modules we are using are appropriately licensed for what we are using them for. It also helps to verify that the license a node module claims to be under matches the license it.
If you were previously checking in a license in the dist file, this can replace that flow.
This PR adds:
A workflow to check licenses on pull requests and pushes to the main branch
A licensed.yml file used to configure licensed
A number of files into the .licenses directory which contain our dependencies and their appropriate licenses
How does this impact me?
You may need to locally install licensed and run licensed cache to update the dependency cache if you install a new production dependency.
If licensed cache is unable to determine the dependency, you may need to modify the cache file yourself to put the correct license.
You should still verify the dependency, licensed in a tool to help, but is not a substitute for human review of dependencies
Currently, this PR only targets production dependencies, dev dependencies are not included.
GitHub has a tool called licensed which helps us to verify that the node modules we are using are appropriately licensed for what we are using them for. It also helps to verify that the license a node module claims to be under matches the license it.
If you were previously checking in a license in the dist file, this can replace that flow.
This PR adds:
mainbranchlicensed.ymlfile used to configurelicensed.licensesdirectory which contain our dependencies and their appropriate licensesHow does this impact me?
licensed cacheto update the dependency cache if you install a new production dependency.licensed cacheis unable to determine the dependency, you may need to modify the cache file yourself to put the correct license.