Transitive license is not valid since custom-event@1.0.0 has no license text

[m-niedermaier]

I'm submitting a ... (check one with "x")

[ x ] bug report => Search github for a similar issue or PR before submitting
[ ] feature request
[ ] support request => Sorry, we will not be able to answer every support request.  Please consider other venues for support requests

Current behavior transitive dependency to @swimlane/dragula@3.8.0 to crossvent@1.5.4 to custom-events@1.0.0 And problem is, that the custom-events@1.0.0 has no license text

Reproduction of the problem

npm install -g @cyclonedx/bom
cyclonedx-bom  -o bom.xml

check the custom-events@1.0.0 in the bom.xml.

What is the motivation / use case for changing the behavior? We cant use the library, when there is no valid license text at any transitive dependency

Please tell us about your environment: We use cyclonedx to generte the bom.xml where the license text is missing: https://www.npmjs.com/package/@cyclonedx/bom

• ngx-dnd version: 8.2.0
• Angular version: 11

Sugestion

• use bevacqua/dragula instead of @swimlane/dragula OR
• @swimlane/dragula should use crossevent@1.5.5 instead of crossevent@1.5.4. crossevent@1.5.5 uses custom-events@1.0.1 where the license text is available

[florianrusch]

Sorry for the misunderstanding, we (m-niedermaier and I) don't pull the license text via cyclondx. We just need a version of custom-event for which a license file or text is provided somewhere (e.g. as LICENSE file in the repository). For the version 1.0.0 was non provided, but for the 1.0.1 it is.

So what we need is an upgrade of the custom-event lib to the 1.0.1. The crossvent lib already have a release where it uses the custom-events@1.0.1, it's the 1.5.5. So in @swimlane/dragula a dependency upgrade to crossvent@1.5.5 is needed.

Overview over the dependency tree:

@swimlane/ngx-dnd@8.2.0
├─┬ @swimlane/dragula@3.8.0
│ ├─┬ contra@1.9.4
│ │ ├── atoa@1.0.0
│ │ └── ticky@1.0.1
│ └─┬ crossvent@1.5.4
│   └── custom-event@1.0.0
├── @types/dragula@2.1.35
└── tslib@2.0.3