Open michaelfarrell76 opened 4 years ago
raymondfeng
commented
4 years ago @michaelfarrell76 As I can tell from https://github.com/globalizejs/globalize/blob/master/package.json#L76, cldr-data-downloader is dev dependency, which won't be installed/used at runtime. Your scanning tool probably didn't understand that.
michaelfarrell76
commented
4 years ago hmmm im pretty sure that fossa is only scanning dependencies and not devDependencies. Ive seen other most packages from regular dependencies -> devDependencies and this goes away.
this could be coming up because the downstream packages are pinned to an earlier version of globalize where cldr-data ended up as a regular dependency.
I was unable to determine why the fossa output in that image points from globalize-> cldr-data since i did not find this anywhere in the package.json. was there a recent change that potentially removed this dep?
When adding a downstream dependency
strong-soapI was getting a warning becauseadm-ziphad GPL code and this fails our license check preventing us from using this package. Since then, the GPL code has been removed but the package tree needs to be updated. I've traced this update and I believe thatcldr-datais the next package that needs to be updated in this process, followed byglobalizeadm-zipis the issue. This package has been updated to remove GPL code and any version above0.4.12no longer has this warning.cldr-data-downloaderis the next culprit any looking at version0.3.5now hasadm-zipat0.4.13and so this package is no longer an issuecldr-datawhich currently pings to 0.3.x ofcldr-data, so it is unclear to me whether this package has been published with a more recent version with the bumpedadm-zip. I've opened an issue in thecldr-datapackage asking them to bump this version in case it has not already been bumped.Proposal
cldr-data-downloaderto0.3.5cldr-datapackage is being included in this package.json, but wherever that comes from, bumping that version after cldr-data fixes this license issue would be needed