Open kriswest opened 1 month ago
The CSL license file is being bundled into the FDC3 NPM module. The CSL governs the Standard and its documentation, but any software or source code (i.e. what the NPM module contains) is distributed under Apache 2.0 instead.
While the package.json's license field indicates Apache-2.0, CI tools that inspect the module (such as JFrog Xray https://jfrog.com/help/r/jfrog-security-documentation/managing-compliance-licenses) will pick up the embedded license and may make it more difficult for firms to onboard the library, unnecessarily.
Update the build and re-release the module without bundling the CSL license files (License.md - License.spdx can remain as it indicates Apache-2.0).
@bingenito @robmoffat
The CSL license file is being bundled into the FDC3 NPM module. The CSL governs the Standard and its documentation, but any software or source code (i.e. what the NPM module contains) is distributed under Apache 2.0 instead.
While the package.json's license field indicates Apache-2.0, CI tools that inspect the module (such as JFrog Xray https://jfrog.com/help/r/jfrog-security-documentation/managing-compliance-licenses) will pick up the embedded license and may make it more difficult for firms to onboard the library, unnecessarily.
Update the build and re-release the module without bundling the CSL license files (License.md - License.spdx can remain as it indicates Apache-2.0).
@bingenito @robmoffat