voxpelli
commented
1 year ago It is dual licensed under BSD as well, Mend should recognize that? Maybe Mend doesn't correctly understand dual licenses? Or the SPDX syntax here is wrong?
Open calebdwilliams opened 1 year ago
voxpelli
commented
1 year ago It is dual licensed under BSD as well, Mend should recognize that? Maybe Mend doesn't correctly understand dual licenses? Or the SPDX syntax here is wrong?
calebdwilliams
commented
1 year ago It recognizes both licenses but since the latter is a banned license it kicks it gets marked as a disallowed dependency. I’m honestly not sure if this is a problem with the dual license, Mend or our internal settings, just passing along the problem with as much info as I can.
For my part, I was able to remediate this by marking this package as a peer and dev dependency, but that’s not really what I was hoping to do.
voxpelli
commented
1 year ago That’s the wrong logic by Mend. As long as any of the licenses in a dual licensed project is okay the dependency should be deemed okay.
calebdwilliams
commented
1 year ago That makes sense to me. I’ll try poking around to see what I can figure out there. Please feel free to close this if you’d like.
The WTFPL is not recognized by some enterprise-level scanning tools (like Mend as an allowable license. I realize this is more likely than not an issue with my company's configuration of that software/legal requirements, but figured it wouldn't hurt to create an issue.
If this is something you're willing to resolve, any commonly-recognized permissable public license should work for us. If not, feel free to mark this as
wontfixand I'll find another solution.