Today I ran into an issue when the license of a package is an array. In the composer.json documentation the following is said about using an array for the license:
For a package, when there is a choice between licenses ("disjunctive license"), multiple can be specified as array.
So you can choose which license you want to use. Based on that my expectation would be that the check-license guard will consider the license of a package valid if at least one of its licenses is allowed via accept-license:. However it seems right now that the check-license guard is instead requiring that all the licenses in the array are allowed via accept-license:.
This creates a problem with for example the nette/utils package which allows you to use either a BSD 3-Clause, GPL 2.0 or GPL 3.0 license. If you don't want to allow GPL, but are fine with BSD 3-Clause, the guard (incorrectly) blocks the package from installing. This also prevents you from installing Laravel because nette/utils is an indirect dependency for Laravel.
A quick way to reproduce is to start a docker container using docker run -it --rm php:8.0-cli bash -l and then running:
apt-get update -qq
apt-get install -qq -y git unzip jq moreutils > /dev/null
curl -s -o /usr/local/bin/composer https://getcomposer.org/download/latest-stable/composer.phar
chmod +x /usr/local/bin/composer
mkdir -p /app
cd /app
composer require --quiet --dev kalessil/production-dependencies-guard:dev-master
echo -e "\n==========> nette/utils is rejected even though BSD-3-Clause is an accepted license\n"
jq '. * {"extra":{"production-dependencies-guard":["check-license","accept-license:BSD-3-Clause"]}}' composer.json | sponge composer.json
jq '.' composer.json
composer require --quiet nette/utils
echo -e "\n==========> nette/utils is allowed because we're accepting all three licenses BSD-3-Clause, GPL-2.0-only and GPL-3.0-only\n"
jq '. * {"extra":{"production-dependencies-guard":["check-license","accept-license:BSD-3-Clause","accept-license:GPL-2.0-only","accept-license:GPL-3.0-only"]}}' composer.json | sponge composer.json
jq '.' composer.json
composer require --quiet nette/utils
echo -e "\n==========> laravel/framework is not allowed with check-lock-file because it depends on nette/utils even though we are allowing the minimum licenses needed\n"
jq '. * {"extra":{"production-dependencies-guard":["check-lock-file","check-license","accept-license:MIT","accept-license:BSD-3-Clause","accept-license:Apache-2.0"]}}' composer.json | sponge composer.json
jq '.' composer.json
composer require --quiet laravel/framework
Hi,
Today I ran into an issue when the
licenseof a package is an array. In the composer.json documentation the following is said about using an array for thelicense:So you can choose which license you want to use. Based on that my expectation would be that the
check-licenseguard will consider the license of a package valid if at least one of its licenses is allowed viaaccept-license:. However it seems right now that thecheck-licenseguard is instead requiring that all the licenses in the array are allowed viaaccept-license:.This creates a problem with for example the
nette/utilspackage which allows you to use either a BSD 3-Clause, GPL 2.0 or GPL 3.0 license. If you don't want to allow GPL, but are fine with BSD 3-Clause, the guard (incorrectly) blocks the package from installing. This also prevents you from installing Laravel becausenette/utilsis an indirect dependency for Laravel.A quick way to reproduce is to start a docker container using
docker run -it --rm php:8.0-cli bash -land then running: