Add `WITH GPL-3.0-linking-exception` to license in package.json (was: License check with Snyk)

[ReuDa]

Hi ho 👋 ,

we've recently forked a library that we want to keep maintained and secure.

To do so, I've added a Snyk check to be reported about new vulnerabilities. Snyk is also checking the license.

Snyk is detecting the license of node-mitm as AGPL-3.0. I don't know the exact internals of Snyk, but I guess it's because LAGPL is not defined in the SPDC License list and it's doing some kind of fallback.

AGPL is probably banned in almost all companies. And we (and the original author of the forked library) are using MIT which would also be not compatible to AGPL.

[moll]

Hey,

Thanks for caring about software licensing!

Yeah, Snyk misidentifies that license as the package.json entry is from a time when you couldn't add exceptions in a machine readable way. Long story short, it's got the same exception as Lesser GPL adds:

Additional permission under the GNU Affero GPL version 3 section 7: If you modify this Program, or any covered work, by linking or combining it with other code, such other code is not for that reason alone subject to any of the requirements of the GNU Affero GPL version 3.

Hence the brief summary in the README, too. :)

I'll close the issue for now as there's nothing actionable per-se, but we're welcome to continue chatting and clarifying things here.

[moll]

I see I've used "AGPL-3.0-or-later WITH GPL-3.0-linking-exception" in https://www.npmjs.com/package/j6pack (package.json). NPM's website isn't particularly helpful though as it truncates the rest and shows just "AGPL-3.0-or-later". That's misleading.

Do you know of a way of confirming what Snyk shows for J6Pack? I don't know how to get to the same page as you've screenshot.

[ReuDa]

That would be perfect. I've created a small test project, scanned it via Snyk and it's perfectly discovering AGPL-3.0-or-later WITH GPL-3.0-linking-exception license without complaining about it.

Snyk discovered AGPL-3.0-or-later WITH GPL-3.0-linking-exception license

Snyk only complaining about AGPL-3.0 in mitm and nothing for j6pack

[moll]

Thank you for testing, @ReuDa! I'll do this tweak next time I get around to Mitm.js.

For the record, all versions have been under the same license. It's just the package.json machine readable license name that benefits from this. So don't worry about it in your failure-lamba fork if you were okay with the exception in the first place. ;)

[ReuDa]

👍

Thanks!

I'm not worried about the license itself. I'm only worried about customers' license checkers preventing them from using our library.

I know, it's an annoying question, but is there any way to speed that up? 🫣 I guess a PR is not that much of a help for this little change?

[moll]

Bribing me with three crispy doughnuts may work (drinks on me), but I'll give it a look tomorrow. It's about time I update the GitHub actions list to include all newer Node.js versions, too. ;)

[ReuDa]

Didn't know how much doughnuts are in Tallinn, but we've sent over a small sponsoring. 😉

[moll]

Ooh, hey, man, thanks a bunch! That should be precisely 74 crispy doughnuts, so should you ever land in Tallinn, doughnuts and drinks are on me!

[ReuDa]

Deal! 😀

[moll]

I've updated the license field in package.json to use the SPDX identifier above. Also converted the old Travis CI YAML to GitHub Actions. On top of that, fixed a keep-alive issue with Node v19–v22. Would you mind running it on your app, @ReuDa, to make sure it all looks good? I'll then throw a new patch version out.

Thanks in advance!

[ReuDa]

Perfect 👍 - Works, but I have not tested with Node > v19.

But a nice set of tests. 👍

[ReuDa]

I now also tested with Node v20. Everything works perfectly!

Thank you!

[moll]

v1.7.3 is now published along with the SPDX-compatible license identifier, removed Underscore.js dependency and disabled keep-alives on Node v19+. Thanks again for the doughnuts! ;)