Closed ciaranRoche closed 6 years ago
@lgriffin
@ciaranRoche you need to remove npm version-rage ~
since license-reporter is intended for a product, "I mean" is expected that products are using fixed versions of dependencies.
Here you can see a warning:
Dependencies using npm version range: bluebird,fh-mbaas-api
07:53 $ license-reporter console
Dependencies using npm version range: bluebird,fh-mbaas-api
========= APPROVED LICENSES ==========
name: request , version: 2.79.0 , licenses: Apache License 2.0
name: body-parser , version: 1.0.2 , licenses: MIT License
name: cors , version: 2.2.0 , licenses: MIT License
name: env-var , version: 2.4.3 , licenses: MIT License
name: express , version: 4.0.0 , licenses: MIT License
========= APPROVED LICENSES ==========
<?xml version='1.0'?>
<licenseSummary>
<project>sync-cloud</project>
<version>0.1.0</version>
<license>Apache-2.0</license>
<dependencies>
<dependency>
<packageName>body-parser</packageName>
<version>1.0.2</version>
<licenses>
<license>
<name>MIT License</name>
<url>http://www.opensource.org/licenses/MIT</url>
</license>
</licenses>
</dependency>
<dependency>
<packageName>cors</packageName>
<version>2.2.0</version>
<licenses>
<license>
<name>MIT License</name>
<url>http://www.opensource.org/licenses/MIT</url>
</license>
</licenses>
</dependency>
<dependency>
<packageName>env-var</packageName>
<version>2.4.3</version>
<licenses>
<license>
<name>MIT License</name>
<url>http://www.opensource.org/licenses/MIT</url>
</license>
</licenses>
</dependency>
<dependency>
<packageName>express</packageName>
<version>4.0.0</version>
<licenses>
<license>
<name>MIT License</name>
<url>http://www.opensource.org/licenses/MIT</url>
</license>
</licenses>
</dependency>
<dependency>
<packageName>request</packageName>
<version>2.79.0</version>
<licenses>
<license>
<name>Apache License 2.0</name>
<url>http://www.apache.org/licenses/LICENSE-2.0</url>
</license>
</licenses>
</dependency>
</dependencies>
</licenseSummary>
Now removing ~
from these dependencies:
07:55 $ license-reporter console
========= APPROVED LICENSES ==========
name: fh-mbaas-api , version: 8.2.0 , licenses: Apache License 2.0
name: request , version: 2.79.0 , licenses: Apache License 2.0
name: bluebird , version: 3.5.0 , licenses: MIT License
name: body-parser , version: 1.0.2 , licenses: MIT License
name: cors , version: 2.2.0 , licenses: MIT License
name: env-var , version: 2.4.3 , licenses: MIT License
name: express , version: 4.0.0 , licenses: MIT License
========= APPROVED LICENSES ==========
<?xml version='1.0'?>
<licenseSummary>
<project>sync-cloud</project>
<version>0.1.0</version>
<license>Apache-2.0</license>
<dependencies>
<dependency>
<packageName>bluebird</packageName>
<version>3.5.0</version>
<licenses>
<license>
<name>MIT License</name>
<url>http://www.opensource.org/licenses/MIT</url>
</license>
</licenses>
</dependency>
<dependency>
<packageName>body-parser</packageName>
<version>1.0.2</version>
<licenses>
<license>
<name>MIT License</name>
<url>http://www.opensource.org/licenses/MIT</url>
</license>
</licenses>
</dependency>
<dependency>
<packageName>cors</packageName>
<version>2.2.0</version>
<licenses>
<license>
<name>MIT License</name>
<url>http://www.opensource.org/licenses/MIT</url>
</license>
</licenses>
</dependency>
<dependency>
<packageName>env-var</packageName>
<version>2.4.3</version>
<licenses>
<license>
<name>MIT License</name>
<url>http://www.opensource.org/licenses/MIT</url>
</license>
</licenses>
</dependency>
<dependency>
<packageName>express</packageName>
<version>4.0.0</version>
<licenses>
<license>
<name>MIT License</name>
<url>http://www.opensource.org/licenses/MIT</url>
</license>
</licenses>
</dependency>
<dependency>
<packageName>fh-mbaas-api</packageName>
<version>8.2.0</version>
<licenses>
<license>
<name>Apache License 2.0</name>
<url>http://www.apache.org/licenses/LICENSE-2.0</url>
</license>
</licenses>
</dependency>
<dependency>
<packageName>request</packageName>
<version>2.79.0</version>
<licenses>
<license>
<name>Apache License 2.0</name>
<url>http://www.apache.org/licenses/LICENSE-2.0</url>
</license>
</licenses>
</dependency>
</dependencies>
</licenseSummary>
@helio-frota should we update the dependencies to the most recent minor version then before running the tool?
@dimitraz well, can be done if your project / product need this, but most importantly is to watch the warning message to avoid npm-version-ranges on package.json.
The trick part of this is because this tool license-reporter
is using another tool license-checker
. The license-checker
scans on node_modules
trying to find the dependency specified on package.json, then sometimes npm downloads one most-recent-version of the dependency but it is specified with another number on package.json. The result of this is that sometimes is not possible to identify the missing dependency.
So the safe way to solve this is try to use fixed versions on package.json "fobar": "2.2.0"
instead "foobar": "~2.2.0"
and/or "foobar": "^2.2.0". :+1:
@helio-frota makes sense, thanks :+1:
@helio-frota awesome, cheers for looking at this so quickly.
@ciaranRoche @dimitraz feel free to reach out when needed, also to contribute if you want to.
currently we have only 1 issue opened but , you know, the code can always be improved :+1:
Hey guys, I noticed when I ran the
license-reporter
on two repos sync-cloud and sync-app a number of dependencies where missing from thelicense.xml
and.html
files.Steps to reproduce
npm install
bluebird
andfh-mbass-api
should be missing for thelicense.xml
file.