search

nodeshift-archived / license-reporter

license-reporter is a tool that gathers licenses for project's dependencies and produces a output in XML, JSON, YAML and HTML format.
Apache License 2.0
13 stars 10 forks source link

Dependencies Missing #292

Closed ciaranRoche closed 6 years ago

ciaranRoche commented 6 years ago

Hey guys, I noticed when I ran the license-reporter on two repos sync-cloud and sync-app a number of dependencies where missing from the license.xml and .html files.

Steps to reproduce

bluebird and fh-mbass-api should be missing for the license.xml file.

ciaranRoche commented 6 years ago

@lgriffin

helio-frota commented 6 years ago

@ciaranRoche you need to remove npm version-rage ~ since license-reporter is intended for a product, "I mean" is expected that products are using fixed versions of dependencies.

Here you can see a warning:

Dependencies using npm version range: bluebird,fh-mbaas-api

07:53 $ license-reporter console
Dependencies using npm version range: bluebird,fh-mbaas-api
========= APPROVED LICENSES        ==========
name: request , version: 2.79.0 , licenses: Apache License 2.0
name: body-parser , version: 1.0.2 , licenses: MIT License
name: cors , version: 2.2.0 , licenses: MIT License
name: env-var , version: 2.4.3 , licenses: MIT License
name: express , version: 4.0.0 , licenses: MIT License
========= APPROVED LICENSES        ==========
<?xml version='1.0'?>
<licenseSummary>
    <project>sync-cloud</project>
    <version>0.1.0</version>
    <license>Apache-2.0</license>
    <dependencies>
        <dependency>
            <packageName>body-parser</packageName>
            <version>1.0.2</version>
            <licenses>
                <license>
                    <name>MIT License</name>
                    <url>http://www.opensource.org/licenses/MIT</url>
                </license>
            </licenses>
        </dependency>
        <dependency>
            <packageName>cors</packageName>
            <version>2.2.0</version>
            <licenses>
                <license>
                    <name>MIT License</name>
                    <url>http://www.opensource.org/licenses/MIT</url>
                </license>
            </licenses>
        </dependency>
        <dependency>
            <packageName>env-var</packageName>
            <version>2.4.3</version>
            <licenses>
                <license>
                    <name>MIT License</name>
                    <url>http://www.opensource.org/licenses/MIT</url>
                </license>
            </licenses>
        </dependency>
        <dependency>
            <packageName>express</packageName>
            <version>4.0.0</version>
            <licenses>
                <license>
                    <name>MIT License</name>
                    <url>http://www.opensource.org/licenses/MIT</url>
                </license>
            </licenses>
        </dependency>
        <dependency>
            <packageName>request</packageName>
            <version>2.79.0</version>
            <licenses>
                <license>
                    <name>Apache License 2.0</name>
                    <url>http://www.apache.org/licenses/LICENSE-2.0</url>
                </license>
            </licenses>
        </dependency>
    </dependencies>
</licenseSummary>

Now removing ~ from these dependencies:

07:55 $ license-reporter console
========= APPROVED LICENSES        ==========
name: fh-mbaas-api , version: 8.2.0 , licenses: Apache License 2.0
name: request , version: 2.79.0 , licenses: Apache License 2.0
name: bluebird , version: 3.5.0 , licenses: MIT License
name: body-parser , version: 1.0.2 , licenses: MIT License
name: cors , version: 2.2.0 , licenses: MIT License
name: env-var , version: 2.4.3 , licenses: MIT License
name: express , version: 4.0.0 , licenses: MIT License
========= APPROVED LICENSES        ==========
<?xml version='1.0'?>
<licenseSummary>
    <project>sync-cloud</project>
    <version>0.1.0</version>
    <license>Apache-2.0</license>
    <dependencies>
        <dependency>
            <packageName>bluebird</packageName>
            <version>3.5.0</version>
            <licenses>
                <license>
                    <name>MIT License</name>
                    <url>http://www.opensource.org/licenses/MIT</url>
                </license>
            </licenses>
        </dependency>
        <dependency>
            <packageName>body-parser</packageName>
            <version>1.0.2</version>
            <licenses>
                <license>
                    <name>MIT License</name>
                    <url>http://www.opensource.org/licenses/MIT</url>
                </license>
            </licenses>
        </dependency>
        <dependency>
            <packageName>cors</packageName>
            <version>2.2.0</version>
            <licenses>
                <license>
                    <name>MIT License</name>
                    <url>http://www.opensource.org/licenses/MIT</url>
                </license>
            </licenses>
        </dependency>
        <dependency>
            <packageName>env-var</packageName>
            <version>2.4.3</version>
            <licenses>
                <license>
                    <name>MIT License</name>
                    <url>http://www.opensource.org/licenses/MIT</url>
                </license>
            </licenses>
        </dependency>
        <dependency>
            <packageName>express</packageName>
            <version>4.0.0</version>
            <licenses>
                <license>
                    <name>MIT License</name>
                    <url>http://www.opensource.org/licenses/MIT</url>
                </license>
            </licenses>
        </dependency>
        <dependency>
            <packageName>fh-mbaas-api</packageName>
            <version>8.2.0</version>
            <licenses>
                <license>
                    <name>Apache License 2.0</name>
                    <url>http://www.apache.org/licenses/LICENSE-2.0</url>
                </license>
            </licenses>
        </dependency>
        <dependency>
            <packageName>request</packageName>
            <version>2.79.0</version>
            <licenses>
                <license>
                    <name>Apache License 2.0</name>
                    <url>http://www.apache.org/licenses/LICENSE-2.0</url>
                </license>
            </licenses>
        </dependency>
    </dependencies>
</licenseSummary>
dimitraz commented 6 years ago

@helio-frota should we update the dependencies to the most recent minor version then before running the tool?

helio-frota commented 6 years ago

@dimitraz well, can be done if your project / product need this, but most importantly is to watch the warning message to avoid npm-version-ranges on package.json.

The trick part of this is because this tool license-reporter is using another tool license-checker. The license-checker scans on node_modules trying to find the dependency specified on package.json, then sometimes npm downloads one most-recent-version of the dependency but it is specified with another number on package.json. The result of this is that sometimes is not possible to identify the missing dependency.

So the safe way to solve this is try to use fixed versions on package.json "fobar": "2.2.0" instead "foobar": "~2.2.0" and/or "foobar": "^2.2.0". :+1:

dimitraz commented 6 years ago

@helio-frota makes sense, thanks :+1:

ciaranRoche commented 6 years ago

@helio-frota awesome, cheers for looking at this so quickly.

helio-frota commented 6 years ago

@ciaranRoche @dimitraz feel free to reach out when needed, also to contribute if you want to.
currently we have only 1 issue opened but , you know, the code can always be improved :+1: