Closed konuch closed 1 year ago
BePo65
commented
1 year ago Looks like you are looking for some kind of recursive version of license-report. How about license-report-recursive that extends license-report with the --recurse option.
The problem with package-lock is that it depends on npm. We changed a while ago to the current structure that avoids this kind of dependencies.
konuch
commented
1 year ago Hello, thanks for your response and also for brining up my attention to license-report-recursive 👍 I tried it out, but it takes quite a lot of time to generate the report. I enabled the debug log and I can see it's processing the dependecies, which is fine. But as part of our pipeline it seems to be quite a lot of time, which we probably won't be able to afford.
When I tried this license-report package with the proposed changes in this PR and with --package=package-lock.json argument, it generates the dependency list we need.
I tried it with node v16.15.1 and npm v8.11.0
BePo65
commented
1 year ago I agree that license-report-recursive will take pretty long, at least when generating a tree output.
But I am not really convinced that we should add this pr:
So what alternatives do exist?
How about using 'jq' as a kind of a 'preprocessor'? I used the following command to create a 'package-flat.json' file; this file is used as an input to license-report:
jq '{"name": .name,"version": .version,"dependencies":.dependencies | map_values(. |= .version)}' package-lock.json > package-flat.json
konuch
commented
1 year ago Hello @BePo65 thanks for the hint! We will do it the way you suggested 👍
Allows providing
package-lock.jsonas--packageparameter. This allows output of all dependencies, including transient ones.