@emotion/react uses canius-lite with Creative Common License

[Wissperwind]

Hi,

@emotion/react depends on @babel/core depends on @ampproject/remapping depends on @babel/helper-compilation-targets depends on browserslist depends on caniuse-lite

As you can see, every one who cares about licenses and would like to use your library has to decided whether he can use a software licensed under a CC license. What is really hard to decide because the license is not made and not recommended for software.

Could you, as a really important library, launch something that solves that problem what is affecting more or less how easy react can be used professionally?

[Andarist]

Sorry but I simply don't understand what you are asking for here and how I could remedy this. I mean, I understand what licenses are but I'm not sure what kind of implications this CC license has on your usage and why this is the first time this has been brought up by the community. Also, note that if you don't plan to use /macro variants of Emotion you won't actually depend on caniuse-lite - however, this still would be downloaded to your machine (because we depend on it) but the parts of the library that you would use wouldn't actually depend on it.

[Wissperwind]

The base problem is that https://github.com/Fyrd/caniuse/ uses the CC license. This is the reason canius-lits has to use the CC license, because they are only repackaging. They say in here: https://github.com/Fyrd/caniuse/issues/4062 that it is not easy to change the license. So they have to be motivated a bit. It would be cool that you as an important library, many people know they are using, say to them: Hey, all people using our library wonder about your license and some have to spend hours discussion with their management if a CC license can be used. (Management simply don't wan't to use something they don't know). Maybe if it comes from emotion, they might notice that this would really improove the react experience because if they change the license, canius-lite can change the license and millions of react projects can just consist of well known easy do judge software licenses.

[Andarist]

I plan to restructure packages in the next major version to make this non-issue if you don't use the Babel-related things from our packages.

I still don't understand if this is even an issue for you. What if you don't depend on the given piece of code? It simply got installed automatically on your behalf but you are actually not using this part of the software to develop your things. Is it still a problem? Are you subject to the license of software that you don't use?

Despite Emotion being popular, I doubt the authors of caniuse would reconsider this because of us. I also find the point raised by them to be sound:

Also, of all the organizations that use this data so far it's never been brought up as a problem before now...so I'm a bit surprised your lawyers find there to be an issue with it.

How is it that, for example, Apple can use Emotion somewhere but your organization has some problems with it just because the given license is less familiar to it?

[Wissperwind]

Hi,

So at first thanks for taking this serious! I need to check packages that we ship. It is not important if we use them. So if a library depens on something, but did not use the code, it is shipt though. So the license has to be checked. I personally don't think that it is a problem to us software under the CC license. And I think lawyers would find out that pretty quickly, too. But the problem is with medium sized organisations that don't have lawyers, were some management has do judge the CC license. And if that management don't feels comfortable judging by themselfes they have to pay money for a lawyer to judge the license... And that takes time... and is expensive... So would it be possible to make the connection in the dependency tree optional? That you can include some extra dependency only if you would like to use the Babel-related things? And if you don't do that you can use emotion without canius-lite in the dependency tree?

[Andarist]

So would it be possible to make the connection in the dependency tree optional? That you can include some extra dependency only if you would like to use the Babel-related things? And if you don't do that you can use emotion without canius-lite in the dependency tree?

As mentioned, I plan to juggle this stuff in the next major version - I can't do it in the current release line because that would be a breaking change for some consumers.

[BGehrels]

This issue somehow duplicated https://github.com/emotion-js/emotion/issues/2588 and https://github.com/emotion-js/emotion/issues/2660.

@Andarist Do you have any idea of a rough timeline for the next major release? Are we talking about days, months, quarters or years? We have been able to work around this issue by using --legacy-peer-deps, but this workaround falls apart when upgrading to babel-loader 9.0.0 - so it starts blocking us.

[Andarist]

@Andarist Do you have any idea of a rough timeline for the next major release? Are we talking about days, months, quarters or years?

Honestly - I don't know. It's probably months away. Emotion is heavily dependent upon and releasing a new major version is always a friction to the community. I would like to avoid doing it for as long as I can.

However, I still don't quite understand the problem. Could you confirm that you really need to care about a license of a package that you merely download but that you don't end up using? This seems bizarre from my PoV - but I'm also not an expert in this area.

[Wissperwind]

It is not really possibe for us to determine, what code is actually run / used. I think it is standard to use a command like license-exporter --json --recursive to determine of what 3rdpty libraries a project consists. And for every library that is listed by that command, and for every license one of that libraries uses, we have to talk with our management, if it is ok to use a library licenced under that license. And we have to talk to every customer, if it is ok for them, to use a library under that license.

And even if a license does not prohibit something critical, it is very hard to convince someone if that license is not well known.