Closed dd-jy closed 2 years ago
Licensee is a CLI tool for auditing dependency licenses. It's not part of npm CLI.
@kemitchell Actually, I requested this issue in npm-rfcs(https://github.com/npm/rfcs/discussions/563). Then, can you tell me where I can post it?
Does licensee support this kind of SPDX expression? If so, it’s an npm issue, but i assumed that if it did, npm would automatically support it.
(or is licensee not what npm uses to validate spdx expressions? It’s certainly what it’ll use for npm audit licenses
)
@kemitchell I searched the licensee code, and licensee only allows the spdx license list names (https://www.npmjs.com/package/spdx-osi). In SPDX license expression, it also supports 'LicenseRef-' spdx license expression. So I request it to licensee.
It’s certainly what it’ll use for
npm audit licenses
Is that a future plan? I was not aware.
I see CLI is currently using licensee
to audit their own deps:
https://github.com/npm/cli/blob/d8d374d23d34c17e22b52afc1cfb5247cc7c3e1d/package.json#L215=
But I don't see it in the CLI codebase otherwise.
@dd-jy: I don't have time to help you route your question. Please direct to the npm team if you have an issue with npm.
@ljharb: The LicenseRef
concept is an obscure SPDX thing, and not one that either npm CLI or licensee
should entertain, in my opinion. I'm sure there are old npm CLI issues where Forrest and I discussed, from way back when.
In that case, sorry for the noise here, that's my bad.
@dd-jy you'd need to file an npm RFC to discuss changing it, but @kemitchell's opinion carries a lot of weight here.
Why cannot use 'LicenseRef' license name when initializing the package.json with 'npm init' command?
If users wants to add the proprietary license name in package.json, they may also want to add the license name to match the spdx license expression. Because it is easier to manage the license name of their package than using 'SEE LICENSE IN '.
What about changing to accept 'LicenseRef-' spdx license expression?