search

cashapp / licensee

Gradle plugin which validates the licenses of your dependency graph match what you expect
https://cashapp.github.io/licensee/docs/1.x/
Apache License 2.0
614 stars 28 forks source link

Support Kotlin JS npm dependencies #208

Open hfhbd opened 1 year ago

hfhbd commented 1 year ago

Currently, we support Maven coordinates only. Kotlin JS also supports npm dependencies, which would be nice to support too to have one dependency (and spdx) report. npm stores the license information in the package.json, so parsing these files is easy, it is json and we already uses kotlinx-serialization.

Open question: How to get these files: Could we use Gradle's downloader (somehow)? What about configuration cache? How does KGP fetch the dependencies. AFAIK it is done by yarn during execution (kotlinNodeJsSetup), but we should check it.

(Related, what about cocoapods?)

JakeWharton commented 1 year ago

Assuming we can get access to the node_modules directory in a stable way, its format is standardized (I think?) and contains all of the package.json files for parsing.

JakeWharton commented 1 year ago

Presumably also have to depend on whatever task is responsible for running the yarn install.