search

apache / gravitino

World's most powerful open data catalog for building a high-performance, geo-distributed and federated metadata lake.
https://gravitino.apache.org
Apache License 2.0
959 stars 302 forks source link

[Improvement] Licenses issues in web UI #939

Open ch3yne opened 10 months ago

ch3yne commented 10 months ago

What would you like to be improved?

caniuse-lite is included as a nested dependency in both next and autoprefixer. Its appearance three times in yarn.lock is due to the lock file recording the versions for each dependency. If other dependencies require different versions, it will be reflected accordingly.

License: ├─ CC-BY-4.0 │ └─ caniuse-lite@1.0.30001566 │ ├─ URL: https://github.com/browserslist/caniuse-lite.git │ ├─ VendorName: Ben Briggs │ └─ VendorUrl: http://beneb.info

next@14.0.3: version "14.0.3" resolved "https://registry.yarnpkg.com/next/-/next-14.0.3.tgz#8d801a08eaefe5974203d71092fccc463103a03f" integrity sha512-AbYdRNfImBr3XGtvnwOxq8ekVCwbFTv/UJoLwmaX89nk9i051AEY4/HAWzU0YpaTDw8IofUpmuIlvzWF13jxIw== dependencies: "@next/env" "14.0.3" "@swc/helpers" "0.5.2" busboy "1.6.0" caniuse-lite "^1.0.30001406" postcss "8.4.31" styled-jsx "5.1.1" watchpack "2.4.0" optionalDependencies: "@next/swc-darwin-arm64" "14.0.3" "@next/swc-darwin-x64" "14.0.3" "@next/swc-linux-arm64-gnu" "14.0.3" "@next/swc-linux-arm64-musl" "14.0.3" "@next/swc-linux-x64-gnu" "14.0.3" "@next/swc-linux-x64-musl" "14.0.3" "@next/swc-win32-arm64-msvc" "14.0.3" "@next/swc-win32-ia32-msvc" "14.0.3" "@next/swc-win32-x64-msvc" "14.0.3"

autoprefixer@^10.4.16: version "10.4.16" resolved "https://registry.yarnpkg.com/autoprefixer/-/autoprefixer-10.4.16.tgz#fad1411024d8670880bdece3970aa72e3572feb8" integrity sha512-7vd3UC6xKp0HLfua5IjZlcXvGAGy7cBAXTg2lyQ/8WpNhd6SiZ8Be+xm3FyBSYJx5GKcpRCzBh7RH4/0dnY+uQ== dependencies: browserslist "^4.21.10" caniuse-lite "^1.0.30001538" fraction.js "^4.3.6" normalize-range "^0.1.2" picocolors "^1.0.0" postcss-value-parser "^4.2.0"

browserslist@^4.21.10: version "4.22.2" resolved "https://registry.yarnpkg.com/browserslist/-/browserslist-4.22.2.tgz#704c4943072bd81ea18997f3bd2180e89c77874b" integrity sha512-0UgcrvQmBDvZHFGdYUehrCNIazki7/lUP3kkoi/r3YB2amZbFM9J43ZRkJTXBUZK4gmx56+Sqk9+Vs9mwZx9+A== dependencies: caniuse-lite "^1.0.30001565" electron-to-chromium "^1.4.601" node-releases "^2.0.14" update-browserslist-db "^1.0.13"

How should we improve?

How should we handle this license issue? If deletion is necessary, it means replacing next.js with another frontend framework. However, there is no guarantee that other frameworks won't also have nested dependencies. The autoprefixer dependency is utilized by many CSS styling libraries.

ch3yne commented 10 months ago

Hi, @justinmclean, I created this issue regarding #875 and #829. https://github.com/datastrato/gravitino/issues/829#issuecomment-1842012630

Which dependency packages should I add into LICENSE or NOTICE ? The source code of these packages won't be included in either the webUI's source files or the compiled production versions. The dependencies declared in package.json are just for utility purposes. Do I only need to add the packages used in package.json to the LICENSE or NOTICE file?

By the way, this command is executed within superset/superset-frontend. ❯ license-checker --production --summary ├─ MIT: 527 ├─ ISC: 49 ├─ Apache-2.0: 41 ├─ BSD-3-Clause: 37 ├─ BSD-2-Clause: 18 ├─ MIT*: 3 ├─ (MIT OR Apache-2.0): 2 ├─ Custom: https://github.com/tmcw/jsonlint: 1 ├─ Unlicense: 1 ├─ CC-BY-4.0: 1 ├─ (MPL-2.0 OR Apache-2.0): 1 ├─ Apache-2.0 WITH LLVM-exception: 1 └─ 0BSD: 1

justinmclean commented 10 months ago

Please read the document I created yesterday on how to do this, in general dependencies that don't end up in what we release don't need to be mentioned. However, I can help with this I'm just working on the binary LICENSE and NOTICE file.

ch3yne commented 10 months ago

Please read the document I created yesterday on how to do this, in general dependencies that don't end up in what we release don't need to be mentioned. However, I can help with this I'm just working on the binary LICENSE and NOTICE file.

Thank you for the document and I have read it. In the current webUI, there is no 3rd-party code, and part from the dependencies mentioned in the package.json, there are no other 3rd-party dependencies.

ch3yne commented 5 months ago

  1. the front-end dist directory packaged as a war file does not include caniuse-lite. The compiled analysis does not seem to include the paths where it could be included either.

    Details

    compiled

  2. caniuse-lite is a deep nested dependency included in browserlist, referenced as a toolchain in next and autoprefixer. It is a JSON file used to check browser compatibility issues, which are hard to avoid in modern frontend development.

    Details

  1. use license-checker-rseidelsohn check the dependencies included in the web as follows:
    Details

    ❯ license-checker-rseidelsohn

├─ @emotion/cache@@11.11.0
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/emotion-js/emotion.git#main
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@emotion/cache
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@emotion/cache/LICENSE
├─ @emotion/react@@11.11.3
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/emotion-js/emotion.git#main
│  ├─ publisher: Emotion Contributors
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@emotion/react
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@emotion/react/LICENSE
├─ @emotion/styled@@11.11.0
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/emotion-js/emotion.git#main
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@emotion/styled
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@emotion/styled/LICENSE
├─ @eslint-community/eslint-utils@@4.4.0
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/eslint-community/eslint-utils
│  ├─ publisher: Toru Nagashima
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@eslint-community/eslint-utils
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@eslint-community/eslint-utils/LICENSE
├─ @eslint-community/regexpp@@4.10.0
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/eslint-community/regexpp
│  ├─ publisher: Toru Nagashima
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@eslint-community/regexpp
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@eslint-community/regexpp/LICENSE
├─ @eslint/eslintrc@@2.1.4
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/eslint/eslintrc
│  ├─ publisher: Nicholas C. Zakas
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@eslint/eslintrc
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@eslint/eslintrc/LICENSE
├─ @eslint/js@@8.56.0
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/eslint/eslint
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@eslint/js
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@eslint/js/LICENSE
├─ @hookform/resolvers@@3.3.4
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/react-hook-form/resolvers
│  ├─ publisher: bluebill1049
│  ├─ email: bluebill1049@hotmail.com
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@hookform/resolvers
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@hookform/resolvers/LICENSE
├─ @iconify/react@@4.1.1
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/iconify/iconify
│  ├─ publisher: Vjacheslav Trushkin
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@iconify/react
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@iconify/react/license.txt
├─ @mui/icons-material@@5.15.11
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/mui/material-ui
│  ├─ publisher: MUI Team
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@mui/icons-material
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@mui/icons-material/LICENSE
├─ @mui/lab@@5.0.0-alpha.159
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/mui/material-ui
│  ├─ publisher: MUI Team
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@mui/lab
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@mui/lab/LICENSE
├─ @mui/material@@5.15.3
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/mui/material-ui
│  ├─ publisher: MUI Team
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@mui/material
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@mui/material/LICENSE
├─ @mui/x-data-grid@@6.18.7
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/mui/mui-x
│  ├─ publisher: MUI Team
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@mui/x-data-grid
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@mui/x-data-grid/LICENSE
├─ @mui/x-tree-view@@6.17.0
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/mui/mui-x
│  ├─ publisher: MUI Team
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@mui/x-tree-view
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@mui/x-tree-view/LICENSE
├─ @next/bundle-analyzer@@14.0.4
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/vercel/next.js
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@next/bundle-analyzer
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@next/bundle-analyzer/readme.md
├─ @next/eslint-plugin-next@@14.0.3
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/vercel/next.js
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@next/eslint-plugin-next
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@next/eslint-plugin-next/README.md
├─ @reduxjs/toolkit@@1.9.7
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/reduxjs/redux-toolkit
│  ├─ publisher: Mark Erikson
│  ├─ email: mark@isquaredsoftware.com
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@reduxjs/toolkit
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@reduxjs/toolkit/LICENSE
├─ @rushstack/eslint-patch@@1.6.1
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/microsoft/rushstack
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@rushstack/eslint-patch
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@rushstack/eslint-patch/LICENSE
├─ @types/lodash-es@@4.17.12
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/DefinitelyTyped/DefinitelyTyped
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@types/lodash-es
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@types/lodash-es/LICENSE
├─ @types/node@@20.10.7
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/DefinitelyTyped/DefinitelyTyped
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@types/node
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@types/node/LICENSE
├─ @types/qs@@6.9.11
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/DefinitelyTyped/DefinitelyTyped
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@types/qs
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@types/qs/LICENSE
├─ @types/react@@18.2.47
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/DefinitelyTyped/DefinitelyTyped
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@types/react
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@types/react/LICENSE
├─ @typescript-eslint/parser@@6.18.1
│  ├─ licenses: BSD-2-Clause
│  ├─ repository: https://github.com/typescript-eslint/typescript-eslint
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@typescript-eslint/parser
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@typescript-eslint/parser/LICENSE
├─ @typescript-eslint/scope-manager@@6.18.1
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/typescript-eslint/typescript-eslint
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@typescript-eslint/scope-manager
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@typescript-eslint/scope-manager/LICENSE
├─ @typescript-eslint/types@@6.18.1
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/typescript-eslint/typescript-eslint
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@typescript-eslint/types
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@typescript-eslint/types/LICENSE
├─ @typescript-eslint/typescript-estree@@6.18.1
│  ├─ licenses: BSD-2-Clause
│  ├─ repository: https://github.com/typescript-eslint/typescript-eslint
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@typescript-eslint/typescript-estree
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@typescript-eslint/typescript-estree/LICENSE
├─ @typescript-eslint/visitor-keys@@6.18.1
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/typescript-eslint/typescript-eslint
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@typescript-eslint/visitor-keys
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/@typescript-eslint/visitor-keys/LICENSE
├─ antd@@5.13.3
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/ant-design/ant-design
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/antd
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/antd/LICENSE
├─ autoprefixer@@10.4.16
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/postcss/autoprefixer
│  ├─ publisher: Andrey Sitnik
│  ├─ email: andrey@sitnik.ru
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/autoprefixer
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/autoprefixer/LICENSE
├─ axios@@1.6.8
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/axios/axios
│  ├─ publisher: Matt Zabriskie
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/axios
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/axios/LICENSE
├─ chroma-js@@2.4.2
│  ├─ licenses: (BSD-3-Clause AND Apache-2.0)
│  ├─ repository: https://github.com/gka/chroma.js
│  ├─ publisher: Gregor Aisch
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/chroma-js
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/chroma-js/LICENSE
├─ clsx@@2.1.0
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/lukeed/clsx
│  ├─ publisher: Luke Edwards
│  ├─ email: luke.edwards05@gmail.com
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/clsx
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/clsx/license
├─ dayjs@@1.11.10
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/iamkun/dayjs
│  ├─ publisher: iamkun
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/dayjs
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/dayjs/LICENSE
├─ env-cmd@@10.1.0
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/toddbluhm/env-cmd
│  ├─ publisher: Todd Bluhm
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/env-cmd
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/env-cmd/LICENSE
├─ eslint-config-next@@14.0.3
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/vercel/next.js
│  └─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint-config-next
├─ eslint-config-prettier@@9.1.0
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/prettier/eslint-config-prettier
│  ├─ publisher: Simon Lydell
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint-config-prettier
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint-config-prettier/LICENSE
├─ eslint-import-resolver-node@@0.3.9
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/import-js/eslint-plugin-import
│  ├─ publisher: Ben Mosher
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint-import-resolver-node
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint-import-resolver-node/LICENSE
├─ eslint-import-resolver-typescript@@3.6.1
│  ├─ licenses: ISC
│  ├─ repository: https://github.com/import-js/eslint-import-resolver-typescript
│  ├─ publisher: Alex Gorbatchev
│  ├─ email: alex.gorbatchev@gmail.com
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint-import-resolver-typescript
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint-import-resolver-typescript/LICENSE
├─ eslint-module-utils@@2.8.0
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/import-js/eslint-plugin-import
│  ├─ publisher: Ben Mosher
│  ├─ email: me@benmosher.com
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint-module-utils
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint-module-utils/LICENSE
├─ eslint-plugin-import@@2.29.1
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/import-js/eslint-plugin-import
│  ├─ publisher: Ben Mosher
│  ├─ email: me@benmosher.com
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint-plugin-import
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint-plugin-import/LICENSE
├─ eslint-plugin-jsx-a11y@@6.8.0
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/jsx-eslint/eslint-plugin-jsx-a11y
│  ├─ publisher: Ethan Cohen
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint-plugin-jsx-a11y
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint-plugin-jsx-a11y/LICENSE.md
├─ eslint-plugin-react-hooks@@4.6.0
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/facebook/react
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint-plugin-react-hooks
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint-plugin-react-hooks/LICENSE
├─ eslint-plugin-react@@7.33.2
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/jsx-eslint/eslint-plugin-react
│  ├─ publisher: Yannick Croissant
│  ├─ email: yannick.croissant+npm@gmail.com
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint-plugin-react
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint-plugin-react/LICENSE
├─ eslint-scope@@7.2.2
│  ├─ licenses: BSD-2-Clause
│  ├─ repository: https://github.com/eslint/eslint-scope
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint-scope
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint-scope/LICENSE
├─ eslint-visitor-keys@@3.4.3
│  ├─ licenses: Apache-2.0
│  ├─ repository: https://github.com/eslint/eslint-visitor-keys
│  ├─ publisher: Toru Nagashima
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint-visitor-keys
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint-visitor-keys/LICENSE
├─ eslint@@8.56.0
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/eslint/eslint
│  ├─ publisher: Nicholas C. Zakas
│  ├─ email: nicholas+npm@nczconsulting.com
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/eslint/LICENSE
├─ lodash-es@@4.17.21
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/lodash/lodash
│  ├─ publisher: John-David Dalton
│  ├─ email: john.david.dalton@gmail.com
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/lodash-es
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/lodash-es/LICENSE
├─ next@@14.0.3
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/vercel/next.js
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/next
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/next/license.md
├─ nprogress@@0.2.0
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/rstacruz/nprogress
│  ├─ publisher: Rico Sta. Cruz
│  ├─ email: hi@ricostacruz.com
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/nprogress
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/nprogress/License.md
├─ postcss@@8.4.33
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/postcss/postcss
│  ├─ publisher: Andrey Sitnik
│  ├─ email: andrey@sitnik.ru
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/postcss
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/postcss/LICENSE
├─ prettier@@3.1.1
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/prettier/prettier
│  ├─ publisher: James Long
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/prettier
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/prettier/LICENSE
├─ qs@@6.11.2
│  ├─ licenses: BSD-3-Clause
│  ├─ repository: https://github.com/ljharb/qs
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/qs
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/qs/LICENSE.md
├─ react-dom@@18.2.0
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/facebook/react
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/react-dom
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/react-dom/LICENSE
├─ react-hook-form@@7.49.3
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/react-hook-form/react-hook-form
│  ├─ email: bluebill1049@hotmail.com
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/react-hook-form
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/react-hook-form/LICENSE
├─ react-hot-toast@@2.4.1
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/timolins/react-hot-toast
│  ├─ publisher: Timo Lins
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/react-hot-toast
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/react-hot-toast/LICENSE
├─ react-redux@@8.1.3
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/reduxjs/react-redux
│  ├─ publisher: Dan Abramov
│  ├─ email: dan.abramov@me.com
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/react-redux
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/react-redux/LICENSE.md
├─ react-use@@17.4.2
│  ├─ licenses: Unlicense
│  ├─ repository: https://github.com/streamich/react-use
│  ├─ publisher: @streamich
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/react-use
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/react-use/LICENSE
├─ react@@18.2.0
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/facebook/react
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/react
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/react/LICENSE
├─ tailwindcss@@3.4.1
│  ├─ licenses: MIT
│  ├─ repository: https://github.com/tailwindlabs/tailwindcss
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/tailwindcss
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/tailwindcss/LICENSE
├─ typescript@@5.3.3
│  ├─ licenses: Apache-2.0
│  ├─ repository: https://github.com/Microsoft/TypeScript
│  ├─ publisher: Microsoft Corp.
│  ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/typescript
│  └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/typescript/LICENSE.txt
└─ yup@@1.3.3
   ├─ licenses: MIT
   ├─ repository: https://github.com/jquense/yup
   ├─ publisher: @monasticpanic Jason Quense
   ├─ path: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/yup
   └─ licenseFile: /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web/node_modules/yup/LICENSE.md

and use npm check:

Details

``` ❯ npm list gravitino-web@ /Users/cheyne/workspace/datastrato/github/ch3yne/gravitino/web ├── @emotion/cache@11.11.0 -> ./node_modules/.pnpm/@emotion+cache@11.11.0/node_modules/@emotion/cache ├── @emotion/react@11.11.3 -> ./node_modules/.pnpm/@emotion+react@11.11.3_@types+react@18.2.47_react@18.2.0/node_modules/@emotion/react ├── @emotion/styled@11.11.0 -> ./node_modules/.pnpm/@emotion+styled@11.11.0_@emotion+react@11.11.3_@types+react@18.2.47_react@18.2.0/node_modules/@emotion/styled ├── @eslint-community/eslint-utils@4.4.0 extraneous -> ./node_modules/.pnpm/@eslint-community+eslint-utils@4.4.0_eslint@8.56.0/node_modules/@eslint-community/eslint-utils ├── @eslint-community/regexpp@4.10.0 extraneous -> ./node_modules/.pnpm/@eslint-community+regexpp@4.10.0/node_modules/@eslint-community/regexpp ├── @eslint/eslintrc@2.1.4 extraneous -> ./node_modules/.pnpm/@eslint+eslintrc@2.1.4/node_modules/@eslint/eslintrc ├── @eslint/js@8.56.0 extraneous -> ./node_modules/.pnpm/@eslint+js@8.56.0/node_modules/@eslint/js ├── @hookform/resolvers@3.3.4 -> ./node_modules/.pnpm/@hookform+resolvers@3.3.4_react-hook-form@7.49.3/node_modules/@hookform/resolvers ├── @iconify/react@4.1.1 -> ./node_modules/.pnpm/@iconify+react@4.1.1_react@18.2.0/node_modules/@iconify/react ├── @mui/icons-material@5.15.11 -> ./node_modules/.pnpm/@mui+icons-material@5.15.11_@mui+material@5.15.3_@types+react@18.2.47_react@18.2.0/node_modules/@mui/icons-material ├── @mui/lab@5.0.0-alpha.159 -> ./node_modules/.pnpm/@mui+lab@5.0.0-alpha.159_@emotion+react@11.11.3_@emotion+styled@11.11.0_@mui+material@5.15.3__z5cj5z3g7thm2dkne4q2f3ui3m/node_modules/@mui/lab ├── @mui/material@5.15.3 -> ./node_modules/.pnpm/@mui+material@5.15.3_@emotion+react@11.11.3_@emotion+styled@11.11.0_@types+react@18.2.47_react-dom@18.2.0_react@18.2.0/node_modules/@mui/material ├── @mui/x-data-grid@6.18.7 -> ./node_modules/.pnpm/@mui+x-data-grid@6.18.7_@mui+material@5.15.3_@mui+system@5.15.3_@types+react@18.2.47_react-dom@18.2.0_react@18.2.0/node_modules/@mui/x-data-grid ├── @mui/x-tree-view@6.17.0 -> ./node_modules/.pnpm/@mui+x-tree-view@6.17.0_@emotion+react@11.11.3_@emotion+styled@11.11.0_@mui+material@5.15.3_@_2hznsh66pzrzmt57m2vrwkibhi/node_modules/@mui/x-tree-view ├── @next/bundle-analyzer@14.0.4 -> ./node_modules/.pnpm/@next+bundle-analyzer@14.0.4/node_modules/@next/bundle-analyzer ├── @next/eslint-plugin-next@14.0.3 extraneous -> ./node_modules/.pnpm/@next+eslint-plugin-next@14.0.3/node_modules/@next/eslint-plugin-next ├── @reduxjs/toolkit@1.9.7 -> ./node_modules/.pnpm/@reduxjs+toolkit@1.9.7_react-redux@8.1.3_react@18.2.0/node_modules/@reduxjs/toolkit ├── @rushstack/eslint-patch@1.6.1 extraneous -> ./node_modules/.pnpm/@rushstack+eslint-patch@1.6.1/node_modules/@rushstack/eslint-patch ├── @types/lodash-es@4.17.12 -> ./node_modules/.pnpm/@types+lodash-es@4.17.12/node_modules/@types/lodash-es ├── @types/node@20.10.7 -> ./node_modules/.pnpm/@types+node@20.10.7/node_modules/@types/node ├── @types/qs@6.9.11 -> ./node_modules/.pnpm/@types+qs@6.9.11/node_modules/@types/qs ├── @types/react@18.2.47 -> ./node_modules/.pnpm/@types+react@18.2.47/node_modules/@types/react ├── @typescript-eslint/scope-manager@6.18.1 extraneous -> ./node_modules/.pnpm/@typescript-eslint+scope-manager@6.18.1/node_modules/@typescript-eslint/scope-manager ├── @typescript-eslint/visitor-keys@6.18.1 extraneous -> ./node_modules/.pnpm/@typescript-eslint+visitor-keys@6.18.1/node_modules/@typescript-eslint/visitor-keys ├── antd@5.13.3 -> ./node_modules/.pnpm/antd@5.13.3_react-dom@18.2.0_react@18.2.0/node_modules/antd ├── autoprefixer@10.4.16 -> ./node_modules/.pnpm/autoprefixer@10.4.16_postcss@8.4.33/node_modules/autoprefixer ├── axios@1.6.8 -> ./node_modules/.pnpm/axios@1.6.8/node_modules/axios ├── chroma-js@2.4.2 -> ./node_modules/.pnpm/chroma-js@2.4.2/node_modules/chroma-js ├── clsx@2.1.0 -> ./node_modules/.pnpm/clsx@2.1.0/node_modules/clsx ├── dayjs@1.11.10 -> ./node_modules/.pnpm/dayjs@1.11.10/node_modules/dayjs ├── env-cmd@10.1.0 -> ./node_modules/.pnpm/env-cmd@10.1.0/node_modules/env-cmd ├── eslint-config-next@14.0.3 -> ./node_modules/.pnpm/eslint-config-next@14.0.3_eslint@8.56.0_typescript@5.3.3/node_modules/eslint-config-next ├── eslint-config-prettier@9.1.0 -> ./node_modules/.pnpm/eslint-config-prettier@9.1.0_eslint@8.56.0/node_modules/eslint-config-prettier ├── eslint-import-resolver-node@0.3.9 extraneous -> ./node_modules/.pnpm/eslint-import-resolver-node@0.3.9/node_modules/eslint-import-resolver-node ├── eslint-module-utils@2.8.0 extraneous -> ./node_modules/.pnpm/eslint-module-utils@2.8.0_@typescript-eslint+parser@6.18.1_eslint-import-resolver-node@0.3.9__kqaywb5yrvhoinib5yhs2meepa/node_modules/eslint-module-utils ├── eslint@8.56.0 -> ./node_modules/.pnpm/eslint@8.56.0/node_modules/eslint ├── lodash-es@4.17.21 -> ./node_modules/.pnpm/lodash-es@4.17.21/node_modules/lodash-es ├── next@14.0.3 -> ./node_modules/.pnpm/next@14.0.3_react-dom@18.2.0_react@18.2.0/node_modules/next ├── nprogress@0.2.0 -> ./node_modules/.pnpm/nprogress@0.2.0/node_modules/nprogress ├── postcss@8.4.33 -> ./node_modules/.pnpm/postcss@8.4.33/node_modules/postcss ├── prettier@3.1.1 -> ./node_modules/.pnpm/prettier@3.1.1/node_modules/prettier ├── qs@6.11.2 -> ./node_modules/.pnpm/qs@6.11.2/node_modules/qs ├── react-dom@18.2.0 -> ./node_modules/.pnpm/react-dom@18.2.0_react@18.2.0/node_modules/react-dom ├── react-hook-form@7.49.3 -> ./node_modules/.pnpm/react-hook-form@7.49.3_react@18.2.0/node_modules/react-hook-form ├── react-hot-toast@2.4.1 -> ./node_modules/.pnpm/react-hot-toast@2.4.1_csstype@3.1.3_react-dom@18.2.0_react@18.2.0/node_modules/react-hot-toast ├── react-redux@8.1.3 -> ./node_modules/.pnpm/react-redux@8.1.3_@types+react@18.2.47_react-dom@18.2.0_react@18.2.0_redux@4.2.1/node_modules/react-redux ├── react-use@17.4.2 -> ./node_modules/.pnpm/react-use@17.4.2_react-dom@18.2.0_react@18.2.0/node_modules/react-use ├── react@18.2.0 -> ./node_modules/.pnpm/react@18.2.0/node_modules/react ├── tailwindcss@3.4.1 -> ./node_modules/.pnpm/tailwindcss@3.4.1/node_modules/tailwindcss ├── typescript@5.3.3 -> ./node_modules/.pnpm/typescript@5.3.3/node_modules/typescript └── yup@1.3.3 -> ./node_modules/.pnpm/yup@1.3.3/node_modules/yup ```

justinmclean commented 5 months ago

As previously discussed, it does include cause-lite. It doesn't matter that it is a deep nested dependency, its license is not compatible with the Apache license as it is considered Category X.

justinmclean commented 5 months ago

There are over 350 packages that end up in the WebUI

ch3yne commented 5 months ago

There are over 350 packages that end up in the WebUI

The packages directly referenced in the web are not as many as you have identified. The ones you have found are likely from the package-lock.json or pnpm-lock.yaml files, but this does not necessarily mean that the web includes all of these dependencies. They are simply used to lock the versions of nested dependencies.

ch3yne commented 5 months ago

The cc-by-4.0 license is not included in category x. https://www.apache.org/legal/resolved.html#cc-by

cc-by-4.0 is Creative Commons Attribution (CC-BY) licenses (2.5, 3.0, and 4.0), not Creative Commons Non-Commercial variants.

justinmclean commented 5 months ago

It is considered Category X (ie. can't be included) if it is not in binary form. Being JS/JSON it's not in binary form. Any non-commercial license will not be able to be included in source or binary form.

justinmclean commented 5 months ago

But the restriction got further than just including it, it can't be a dependency as it places conditions above what the Apache license allows.

The options we have are:

From my history with ASF legal around issues like this, the exception is unlikely to be granted, so we're likely to be back to trying to replace or remove it.

Looking into the licensing and it's history, it seems at one point the code it was copied from was CC non-commercial and had other restrictions (i.e. not creating a similar product) which may further complicate things.

LauraXia123 commented 5 months ago

Hi Justin, the node modules only for dev mode, we only need to focus on production mode right? And not all the dependency will build into our distribution output. The packages will be tree-shaking which not referenced.

This is new sample domo of next-app, and build the dome, we can get the output file

image

Then install the antd dependency but not import it, build directly, we can see the size of output file not change

image image

And then we import the antd in our code, and build again, we can see the size of output file is bigger

image image

And I found the build task file of next, It shows that the caniuse-lite data has been excluded from the bundle file. So it does not include caniuse-lite if we does not import it directly. https://github.com/vercel/next.js/blob/canary/packages/next/taskfile.js

image
justinmclean commented 5 months ago

I did check all production dependencies, not dev ones, and caniuse-lite is a production dependency. It might be possible that it gets removed, as you say. It's hard to tell, but the last time when I looked, there was some browser sniffing code that ended up being the final code, which looked like it may have been from caniuseit. But either way, to satisfy the ASF licensing policy, we can't have a dependency on it or include it. Excluding it and having the user install it is only possible if it is truly optional, i.e. only a small number of users would install it, and the web UI works without it.

justinmclean commented 5 months ago

Note that the output from npm list above only included the top level dependencies you need to use npm list --depth 3 to see caniuse-lite. Or more correctly npm list --depth 3 --omit=dev. yarn list -production also shows caniuse-lite is in production.

LauraXia123 commented 5 months ago

Only the functionality of top level dependencies which referenced in the web will be build into output files. Not the all source code of top level dependencies, nor the depth 3 dependencies. That's what tree-shaking work for.

And we can exclude some code by setting like the build task file

And not recommended yarn which adopting a flat node_modules structure. That's cause ghost dependency problems. That's why you might see the caniuse-lite on the top level. We recommend using pnpm for our project. We can add the packageManager property set to pnpm in pagekage.json. Then it will give you an error when you install with yarn.

justinmclean commented 5 months ago

Dependencies of dependencies matter with ASF policy. Excluding a dependency from a release artifact doesn't solve the issue. What package manager is used is irrelevant as long as the dependency exists. There is an issue that needs to be resolved, how do you suggest we resolve this?

LauraXia123 commented 5 months ago

My point is that only the top level dependencies can to be referenced on our source code, and caniuse's source code is excluded from dependencies of dependencies(nextjs). Not recommending yarn package manager is an explanation for why you can see caniuse in the top level of the dependency structure of the yarn list.

justinmclean commented 5 months ago

Do you have a suggestion on how to resolve this in line with ASF release and licensing policies?

LauraXia123 commented 5 months ago

Can we list some apache project that are in the same situations as ours, and claim it is just a list of browser features and as such copyright doesn't apply: https://github.com/apache/flink/blob/master/flink-runtime-web/web-dashboard/package-lock.json https://github.com/apache/superset/blob/master/superset-frontend/package-lock.json

justinmclean commented 5 months ago

Those projects may or may not be in the same position as us, I would need to look into the details, either way it's unlikely to help us. I think the best course of action is to get accepted into the Incubator and then discuss this on ASF's legal list.