license issue: caniuse-lite has a license that is NOT approved for use in ASF projects

apache / cordova-common

Apache Cordova Common Tooling Library

https://cordova.apache.org/

Apache License 2.0

39 stars 46 forks source link

license issue: caniuse-lite has a license that is NOT approved for use in ASF projects #209

Closed pjfanning closed 3 months ago

pjfanning commented 3 months ago

See https://github.com/apache/cordova-common/blob/master/NOTICE

The CC-BY-4.0 license is Category X and incompatible with Apache Software License.

https://www.apache.org/legal/resolved.html#cc-by

See https://issues.apache.org/jira/browse/LEGAL-678

Please remove the dependency and update your LICENSE/NOTICE.

Issue also seems to affact https://github.com/apache/cordova-eslint

dpogue commented 3 months ago

For context, caniuse-lite is a subdependency several layers down of the JavaScript code coverage reporting tool nyc, which is only used as a development dependency and is not distributed by, included by, or installed by end users of Cordova.

$ npm ls caniuse-lite

cordova-common@5.0.1-dev
└─┬ nyc@15.1.0
  └─┬ istanbul-lib-instrument@4.0.3
    └─┬ @babel/core@7.24.3
      └─┬ @babel/helper-compilation-targets@7.23.6
        └─┬ browserslist@4.23.0
          └── caniuse-lite@1.0.30001600

I don't believe it's possible to drop this without dropping code coverage for unit testing.

breautek commented 3 months ago

Looks like it's being imported via nyc package:

npm ls caniuse-lite
cordova-common@5.0.1-dev /development/cordova/apache/cordova-common
└─┬ nyc@15.1.0
  └─┬ istanbul-lib-instrument@4.0.3
    └─┬ @babel/core@7.24.3
      └─┬ @babel/helper-compilation-targets@7.23.6
        └─┬ browserslist@4.23.0
          └── caniuse-lite@1.0.30001600

I tried updating to the latest version of nyc but it still has the dependency:

npm ls caniuse-lite
cordova-common@5.0.1-dev /development/cordova/apache/cordova-common
└─┬ nyc@17.0.0
  └─┬ istanbul-lib-instrument@6.0.3
    └─┬ @babel/core@7.25.2
      └─┬ @babel/helper-compilation-targets@7.25.2
        └─┬ browserslist@4.23.3
          └── caniuse-lite@1.0.30001646

So that means we will have to drop nyc (a code coverage tool) :\

Issue also seems to affact https://github.com/apache/cordova-eslint

It likely affects all cordova packages tbh, nyc is a widely used package.

pjfanning commented 3 months ago

Could you at least update the NOTICE files? If you do not ship the source code of caniuse-lite then you don't need to mention it in your LICENSE or NOTICE.

dpogue commented 3 months ago

We can definitely update the NOTICE file.

Do you know if there's clear ASF documentation about when dependencies need to be listed or not? We've been erring on the side of caution by listing everything we use, even if it's only for development use.

pjfanning commented 3 months ago

The LICENSE file is where you list licenses for 3rd party source code that you include in your source releases. The NOTICE file is where you list notices for 3rd party source code that you include in your source releases.

If you release binary artifacts too, then they should have LICENSE and NOTICE files that reflect what is in those binary artifacts. This might include including LICENSE and/or NOTICE entries for 3rd party source and other 3rd party binary artifacts included in your binary artifact.

If you have a git repo that is not used for doing source releases or releasing binary artifacts then you probably just need a plain Apache LICENSE and NOTICE in that repo.