annaplotkin
commented
6 years ago This should be a recurring, automated task.
Open 10xjs opened 6 years ago
annaplotkin
commented
6 years ago This should be a recurring, automated task.
annaplotkin
commented
6 years ago We need an 'Allow' list. Start with Apache and MIT.
jamesdphillips
commented
5 years ago This could easily be bundled into yarn audit and run on CI.
annaplotkin
commented
5 years ago James to check on this.
What
Check that any dependency that is bundled and shipped as part of the web-ui within the sensu-go binary is correctly licensed for such use.
How
It is possible to analyze the licences of all resolved npm dependencies with the
yarn licenses listcommand. Analyzing and validating the JSON output of this as a CI build step is a viable approach.One potential concern is that not all npm dependencies end up as part of the bundle, any dependency that is strictly a test or build tool can potentially be excluded from the license audit.
Determining which dependencies do or do not contribute to the bundle is a difficult challenge. Build tools like webpack and babel inject small runtimes into the bundle and need to be considered in the license audit. This only a problem to worry about if any license issues arise in the first place.