Closed pathmapper closed 3 years ago
You need to differentiate between the license text and the license identifier. This plugin aims to get both:
license
fieldThe text in the LICENSE.txt
file from that repository should be found - however, SEE LICENSE IN LICENSE.txt
is not a valid identifier and it is hard if not impossible to parse the identifier from arbitrary licen[cs]e files. So this plugin will error, and you need to decide how you deal with your mapbox-gl-js
dependency in terms of license compliance. Typically, you would let your legal team check the license and if it's allowed, just licenseOverride
it so the plugin doesn't error.
just
licenseOverride
it so the plugin doesn't error.
But if it's a custom license I'm fine with using it (and there is no valid SPDX identifier available), there is currently nothing I could use for licenseOverride
to make the plugin happy so it will not error, right?
So what would help in this case would be one specific placeholder like see licenseText
which could be used instead of a valid SPDX identifier for licenseOverride
and which would be accepted by the plugin so it won't error.
Sorry if it wasn't clear.
Ohh, so the things you pass to licenseOverride
are also checked for being valid SPDX identifiers? I could see how that would be a problem 😁
Yes, exactly, this is currently the case :-)
Will hopefully get to this early next year. Feel free to open a pull request changing this.
Edit: Early march, still haven't found the time. Help is welcome!
I finally had some time to reflect about this.
mapbox-gl-js
license is problematic, because
license
field of package.json
LICENSE.TXT
, which contains a custom license that doesn't have a valid SPDX identifierWith default settings, this will throw an Error. You can the licenseOverrides
option to define a different license than the one listed in package.json
to prevent this error if you override with a valid SPDX license. The LICENSE.TXT
shows that mapbox-gl-js
is not licensed under a valid SPDX license. If you use some variation of the custom license name as a string in the licenseOverrides
option, the plugin will Error because it expects valid SPDX license identifiers.
One solution to this problem might be to exclude the check for valid SPDX identifiers for licenses overriden with licenseOverrides
. This would, however, allow mistakenly wrong entries in licenseOverrides
that are supposed to replace with a valid SPDX identifier, but have typos or other mistakes in them, which is why I decided to not do this.
What you can do as a user of mapbox-gl-js
is to exclude the package from license checks altogether using the excludedPackageTest
option and combine the output of this plugin with an additional entry for mapbox-gl-js
like this:
new LicensePlugin({
excludedPackageTest: name => name === 'mapbox-gl-js',
additionalFiles: {
'with-mapbox.json': packages => [...packages, {
name: 'mapbox-gl-js',
version: '1.13.1',
repository: 'https://github.com/mapbox/mapbox-gl-js',
license: "Mapbox license",
licenseText: 'content of LICENSE.txt in mapbox-gl-js root directory'
}]
}
})
This code is not tested, but it should work like this. To be honest, i'm not sure what happens when you take the default filename "oss-licenses.json" as additionalFiles
key. It might throw an error, it might just write a single file, which would probably be what you want.
@pathmapper Does this help?
Closed due to inactivity, possible solution provided in comment.
@codepunkt sorry for not getting back to you earlier, thanks a lot for your thoughts.
Adding JSON.stringify
to your suggestion and using "oss-licenses.json" as additionalFiles
key, the following worked for me (resulting in a single file which is exactly what I want 😄 ):
additionalFiles: {
'oss-licenses.json': packages => JSON.stringify([...packages, {
'name': 'mapbox-gl-js',
'version': '1.13.1',
'repository': 'https://github.com/mapbox/mapbox-gl-js',
'license': "Mapbox license",
'licenseText': 'content of LICENSE.txt in mapbox-gl-js root directory'
}], null, 2)
}
According https://github.com/codepunkt/webpack-license-plugin/issues/443#issuecomment-742060966
There are use cases where there is no valid SPDX identifiers in
package.json
but something likeSEE LICENSE IN LICENSE.txt
.Here is an example (which was also valid before the recent license change when BSD-3-Clause used to be the license):
https://github.com/mapbox/mapbox-gl-js/blob/20b953937ac54e3743aed06066b0bbe0092f5c9a/package.json#L7
What about a
licenseOverrides
option:which takes the license text of a licen[cs]e file for
licenseText
?