When adding a downstream dependency strong-soap I was getting a warning because adm-zip had GPL code and this fails our license check preventing us from using this package. Since then, the GPL code has been removed but the package tree needs to be updated. I've traced this update and I believe that cldr-data is the next package that needs to be updated in this process.
At the root, adm-zip is the issue. This package has been updated to remove GPL code and any version above 0.4.12 no longer has this warning.
cldr-data-downloader is the next culprit any looking at version 0.3.5 now has adm-zip at 0.4.13 and so this package is no longer an issue
Next level is this cldr-data which currently pings to 0.3.x of cldr-data, so it is unclear to me whether this package has been published with a more recent version with the bumped adm-zip.
Proposal
Potentially use an explicit version of cldr-data-downloader instead of 0.3.x to make issues like this easier to trace
Publish 36.0.1 where we ensure cldr-data-downloader is pinned to 0.3.5 or higher
When adding a downstream dependency
strong-soapI was getting a warning becauseadm-ziphad GPL code and this fails our license check preventing us from using this package. Since then, the GPL code has been removed but the package tree needs to be updated. I've traced this update and I believe thatcldr-datais the next package that needs to be updated in this process.adm-zipis the issue. This package has been updated to remove GPL code and any version above0.4.12no longer has this warning.cldr-data-downloaderis the next culprit any looking at version0.3.5now hasadm-zipat0.4.13and so this package is no longer an issuecldr-datawhich currently pings to 0.3.x ofcldr-data, so it is unclear to me whether this package has been published with a more recent version with the bumpedadm-zip.Proposal
cldr-data-downloaderinstead of0.3.xto make issues like this easier to trace36.0.1where we ensurecldr-data-downloaderis pinned to0.3.5or higher