"ZLib" allowed but ignored

[jayvdb]

When I add "ZLib" to licenses.spdx list, there is no error, but it does not allow "Zlib" (lower case l) packages to be approved

[kemitchell]

Could you provide a sample .licensee.json and clarify what you mean by lower-case-l-zlib packages not being allowed to be approved? Zlib is both a project name and the name of that project's license. The SPDX identifier for the license is Zlib with a capital Z.

[jayvdb]

To reproduce this create a .licensee.json that contains an entry ZLib (upper case L) in licenses.spdx and a package.json dependencies that contains "pako": "2.1.0".

Running licensee will show

pako@2.1.0
  NOT APPROVED
  Terms: (MIT AND Zlib)
  Corrected: correct-license-metadata
  Repository: nodeca/pako
  Homepage: None listed
  Author: None listed
  Contributors:
    Andrei Tuputcyn (https://github.com/andr83)
    Vitaly Puzrin (https://github.com/puzrin)
    Friedel Ziegelmayer (https://github.com/dignifiedquire)
    Kirill Efimov (https://github.com/Kirill89)
    Jean-loup Gailly
    Mark Adler

This is because the matching of Zlib in the pako metadata is case-sensitive, and the values in licenses.spdx are not checked to be valid case-sensitive spdx identifiers.

IMO the expected behaviour in this scenario is to emit an error something like

error: .licensee.json: "ZLib" is not a valid SPDX identifider

[kemitchell]

Zlib with a capital Z is the valid SPDX identifier.

[ljharb]

@kemitchell i stumbled on this too, but i think the issue is that there's NO error with ZLib, because it's indeed supposed to be Zlib.

[kemitchell]

Ah, I see. ZlLib.