davglass / license-checker

Check NPM package licenses
Other
1.6k stars 215 forks source link

Is this project dead? #245

Open johnthagen opened 4 years ago

johnthagen commented 4 years ago

There have been no commits for 1.5 years: https://github.com/davglass/license-checker/commits/master

Perhaps the README should be updated that this project is abandoned, if it is?

johnthagen commented 4 years ago

Related: https://github.com/davglass/license-checker/pull/223#issuecomment-590452456

johnthagen commented 4 years ago

See https://github.com/RSeidelsohn/license-checker-rseidelsohn as a possible active fork.

Eli-Black-Work commented 4 years ago

Looks dead to me, as well.

Eli-Black-Work commented 3 years ago

Possible replacement: https://github.com/microsoft/license-checker-webpack-plugin

zrosenbauer commented 3 years ago

@davglass is taking sabbatical from Open Source

Screen Shot 2021-03-16 at 9 24 22 PM

@Bosch-Eli-Black @johnthagen we just forked it and are going to extend / continue to support work on at @bluenovaio. We will need to take some time to review the issues that are open and try and get the reporter to open on our repository once we are ready.

We will need to review license and other documents to adhere with our standards.

Fork: https://github.com/bluenovaio/license-checker

johnthagen commented 3 years ago

That's great. Please take a look at https://github.com/RSeidelsohn/license-checker-rseidelsohn as they fork added some nice fixes and improvements as well.

Eli-Black-Work commented 3 years ago

@zrosenbauer Cool! 🙂 I've starred your project.

johnthagen commented 3 years ago

Since @RSeidelsohn's fork is still active, pinging him for awareness. Perhaps you two can collaborate. Would be great to have this project revived. ❤️

zrosenbauer commented 3 years ago

Yea I’ll reach out and see what we can do.

On Mon, Mar 22, 2021 at 6:24 AM johnthagen @.***> wrote:

Since @RSeidelsohn https://github.com/RSeidelsohn's fork is still active, pinging him for awareness. Perhaps you two can collaborate. Would be great to have this project revived. ❤️

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/davglass/license-checker/issues/245#issuecomment-803987910, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA2TF7LBPPQJBRRE5FGUCUTTE4SFXANCNFSM4RU4RSJQ .

-- Sent from Gmail Mobile

RSeidelsohn commented 3 years ago

Yes, this project should not die. I love my job as a FE dev, but it's a full time job and in my spare time I care for my wife and our two children, which is pretty time consuming. Also, I try to find time for my (other) hobby as well - home brewing. So I do not find too much time caring for this project. Yet it is great for giving a small contribution to the community and it helps honing my skills and it is fun as well. So that being said, I try to do my best, yet I happily accept pull requests. This project is really small and should be great for beginning contributors as well. I try to take care of the current two requests, hopefully next week end.

Cheers and thanks for the pings!

zrosenbauer commented 3 years ago

@RSeidelsohn can you shoot me an email at zac@bluenova.io, I'd love to chat briefly about this project with you if you have a chance. Cheers.

brebory commented 3 years ago

@Bosch-Eli-Black @johnthagen we just forked it and are going to extend / continue to support work on at @bluenovaio. We will need to take some time to review the issues that are open and try and get the reporter to open on our repository once we are ready.

We will need to review license and other documents to adhere with our standards.

Fork: https://github.com/bluenovaio/license-checker

@zrosenbauer is the bluenovaio fork defunct or moved? The link doesn't appear to work for me.

As someone looking to use this tool, should I be using the rseidelsohn fork or the bluenovaio fork?

johnthagen commented 3 years ago

As someone looking to use this tool, should I be using the rseidelsohn fork or the bluenovaio fork?

I've found @RSeidelsohn's fork to work great. He's fixed several issues with the base repo. I haven't had any issues with his fork.

zrosenbauer commented 3 years ago

Don’t use BlueNova fork, still WIP use reidelsohn‘s!

johnthagen @.***> schrieb am Mo. 16. Aug. 2021 um 12:06:

As someone looking to use this tool, should I be using the rseidelsohn fork or the bluenovaio fork?

I've found @RSeidelsohn https://github.com/RSeidelsohn's fork to work great. He's fixed several issues with the base repo. I haven't had any issues with his fork.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/davglass/license-checker/issues/245#issuecomment-899671166, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA2TF7PXV3VJAFSACCCQ7TLT5FAQZANCNFSM4RU4RSJQ .

-- Sent from Gmail Mobile

codepunkt commented 2 years ago

@johnthagen @Bosch-Eli-Black @RSeidelsohn @brebory @zrosenbauer As the author of webpack-license-plugin and someone responsible for JavaScript ecosystem OSS license compliance in a larger company, I would love to hear more about your use cases. Why are you using license-checker? What problem does it help you solve?

johnthagen commented 2 years ago

@codepunkt We use a fork of license-checker to generate a static license report of all NPM dependencies to include with the built frontend to comply with OSS licenses requirements. We host this so that we can provide a link in our app for end users to view the licenses. This also helps give credit to these upstream packages.

Here is an example of creating such a report:

Eli-Black-Work commented 2 years ago

We have a similar use case as @johnthagen: We generate a static license report of all NPM dependencies and feed that to a an OSS license scanner tool (similar to Blackduck).

We're currently using https://github.com/microsoft/license-checker-webpack-plugin, but that's repo is no longer maintained, as the owner of the repo is no longer at Microsoft.

codepunkt commented 2 years ago

@codepunkt We use a fork of license-checker to generate a static license report of all NPM dependencies to include with the built frontend to comply with OSS licenses requirements. We host this so that we can provide a link in our app for end users to view the licenses. This also helps give credit to these upstream packages.

Here is an example of creating such a report:

@johnthagen That's what I was suspecting most people would do with license-checker. Are you using webpack or rollup to build/bundle the frontends?

We have a similar use case as @johnthagen: We generate a static license report of all NPM dependencies and feed that to a an OSS license scanner tool (similar to Blackduck).

We're currently using https://github.com/microsoft/license-checker-webpack-plugin, but that's repo is no longer maintained, as the owner of the repo is no longer at Microsoft.

@Bosch-Eli-Black Switching to license-checker is problematic. You will get a lot of false positives and false negatives with your webpack build. We're building a large b2b application consisting of multiple microfrontends, each of them being a react app built with webpack. Using license-checker with settings like those shown from @johnthagen gave us a list of roughly 400 packages for our bill of materials. However, the real build output only includes ~250 packages - 50 of which are not included in the list given by license-checker. As it turns out, the only viable way to do this is to hook directly into the build process, because only the build tool or bundler knows what optimizations it makes. Which parts of the code are stripped out in production builds? What can be tree-shaken? Which parts of dependencies of dependencies are included in the build output that are not listed as dependencies, but devDependencies or optionalDependencies etc. Feel free to also take a look at webpack-license-plugin for your purposes.

I'm not trying to dismiss the awesome work the author and maintainer has done here. This repository was the starting point for our license compliance tooling aswell. I'm just trying to be realistic here - it is not a good choice if license compliance is important to you or your company to use it to generate bills of material.