search

bholloway / resolve-url-loader

Webpack loader that resolves relative paths in url() statements based on the original source file
563 stars 71 forks source link

Dependency 'rework' has no license #191

Closed dotcs closed 3 years ago

dotcs commented 3 years ago

I've noticed that the dependency 'rework', which is a direct dependency of this project, does not have a license. An issue that asks the maintainer to add a license has been created here. Unfortunately as long as the package does not have an OSS license added, it's also a problem to add resolve-url-loader to a project.

Are maintainers aware of the risk and are there any plans to mitigate this problem? How hard would it be to switch to another properly licensed package or rewrite the logic to replace the module in question?

Thanks for taking the time to think about this issue.

bholloway commented 3 years ago

@dotcs the root package.json here is not relevant if you are consuming the resolve-url-loader package from npm.

I would argue that this is the only package.json which is relevant.

Regardless since we are discussing V4 then you need to keep in mind that V4 is currently only available as alpha through distag @next.

There is an intention to completely remove rework in V5 soon after release of V4. However "soon after" is probably still some time away from now.

dotcs commented 3 years ago

Thanks for your answer. I found your package during a scan with license-ls. You might be a false positive in this case since the dependency is only a peer dependency. But it seems such tools, which typically large companies use to scan their code bases, do not use the file that you intend them to use.

Steps to reproduce:

cd /some/folder/to/test
npm init -y
npm install --save resolve-url-loader
npx license-ls --format=json > deps.json

and 

$ cat deps.json  | grep -C 5 rework             
    "homepage": "https://github.com/sindresorhus/has-flag#readme",
    "dependencyLevel": "production"
  },
  {
    "id": 33,
    "name": "rework",
    "version": "1.0.1",
    "license": "unknown (?)",
    "repository": "git://github.com/reworkcss/rework.git",
    "author": "TJ Holowaychuk",
    "homepage": "https://github.com/reworkcss/rework#readme",
    "dependencyLevel": "production"
  },
  {
    "id": 34,
    "name": "convert-source-map",

Which basically means that rework ends in those scans and your package might be issued since it is listed as the root package, that includes it.

$ npm ls rework
foo@1.0.0 /tmp/foo
└─┬ resolve-url-loader@3.1.2
  └── rework@1.0.1

So to avoid any automated rejection scenarios I think it would be worth considering to optimize for this automated scanning approach.

bholloway commented 3 years ago

@dotcs thanks for "steps to reproduce" 🙇

So running this with resolve-url-loader@next gets us the v4-alpha.

cd /some/folder/to/test
npm init -y
npm install --save resolve-url-loader@next
npx license-ls --format=json > deps.json

This doesn't seem to show any licence problems.

So hopefully with the release of V4 this should be cleaned up by default. 🤞 I will leave this open until V4 release and tag it appropriately.

bholloway commented 3 years ago

Released resolve-url-loader@4.0.0-beta.1.

Since v4 is now master branch and v3 has moved to maintenance so I'm going to close this issue.

If you cannot adopt the beta in your project, or v4 full release is not released in the next few weeks, then feel free to reopen this issue.