mhassan1
commented
3 months ago Thanks for the PR!
- There are two flags
--allowedand--blockedwhich are exclusive, and can be set multiple times. However, it could also be a separate config file (what tophat/yarn-plugin-licenses does) or a field in package.json
Those flags make sense to me. I'd like to avoid configuration files, since it adds another layer of complexity to the plugin.
- The command simply outputs the licenses that violate the flags. Should it have an informative message when all licenses are allowed? Should it exit with error code != 0?
I would think one use case would be to audit that no licensing rules are being violated in CI, so a non-zero exit code if the report is non-empty makes sense to me. If the report is empty, I think it should exit zero and write an empty response.
- Should the command be named
audit,verify, or maybe a flag in thelistcommand i.e.yarn licenses list --verify?
I don't think it should be part of list, since it's confusing to me that list --allowed would list violations of that rule. I think you're correct that it should be a new command, and I think audit is good.
ranisalt
Added a command to audit (or verify) the list of licenses in order to warn if certain licenses are used. Usage example is
yarn licenses audit --blocked GPL-3.0 --blocked SSPL-1.0Currently there are a few decisions to be made that I'd like to discuss:
--allowedand--blockedwhich are exclusive, and can be set multiple times. However, it could also be a separate config file (what tophat/yarn-plugin-licenses does) or a field in package.jsonaudit,verify, or maybe a flag in thelistcommand i.e.yarn licenses list --verify?