-
Notifications
You must be signed in to change notification settings - Fork 340
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Approval needed for not-installed Yarn package #456
Comments
@grantbdev Unfortunately, there isn't an easy fix for this one. LicenseFinder is relying on the output from So tackling the options you raised: a) It seems better if LicenseFinder exercises this pessimistic behavior rather than ignoring packages because they're not used on the current build platform. As an example, if you weren't running LicenseFinder locally and instead relying on your CI system to flag issues (not an uncommon use case), and if instead of fsevents, you were using an optional package that was not MIT licensed, the potentially problematic dependency would never be flagged. b) In order to still find the license information, there would either need to be an upstream patch to yarn to "install --bravely" incompatible modules, or something would need to be implemented in LicenseFinder that reproduced the yarn install behavior. The second option is a pattern that doesn't exactly fit with the LicenseFinder paradigm of getting information from package managers and their associated files. The best options seem to be either looking into the "install --bravely" option, or addressing it as you mentioned, by explicitly approving the dependency by name and possibly version. I'll add a known issues section to the README prior to closing this issue. |
Added commit 785c07b referencing this GitHub issue. |
I don't know if this is still true? Running |
I am developing locally on OS X with Webpack(er), which has an optional transitive dependency on OS X exclusive package fsevents.
yarn install
installs it and License Finder thinks it is OK probably because I have whitelisted MIT licenses.However, on the Travis CI build using Linux:
So it would appear that due to the package being excluded/not fully installed due to incompatibility, the license information is still checked for approval but not found correctly.
I have resolved the problem by adding a dependency approval specific to the fsevents package, but I would expect License Finder to either (a) ignore the package when it is excluded or (b) still be able to find the license information like it does locally when the package is compatible and installed/included.
This is with
license_finder
5.0.0.The text was updated successfully, but these errors were encountered: