Hi Justin, On Thu, Mar 21, 2019 at 11:02 AM Justin Mclean <[email protected]> wrote: > > Hi, > > -1 (binding) as this release seems to includes a GPL (a category X) > dependancy. [3] > > After compiling I also noticed it pulls down material that is under copyright > and I don’t believe we have permission to distribute [1][2] > > Re copyright of that text: > "In Praise of Idleness and Other Essays (1932) – Copyrighted in the United > States until 2027 due to Renewal R320904" > > Only dumb luck I found that btw (I was checking for GPL licensed stuff). I > assume this is a 3rd party file in now of the download node modules. > > Everything else is good. > > I checked: > - incubating in name > - signatures and hash correct > - DISCLAIMER exists > - LICENSE and NOTICE file > - Not all source files have ASF headers. > - no unexpected binary files > - can compile from source > > Thanks, > Justin >
These dependencies are all development time dependencies, which can be found in "devDependencies" section of package.json file. According to [1], the devDependencies won't go into production. wordwrap and cliui are transitive dev dependencies, which is used by popular libraries like webpack and eslint. If that is the case, I doubt a lot of the front end projects will be affect. IMO, the devDependencies are just dependencies that help to build the distribution, and downstream users won't be able to consume them. For node-notifier, which is also a dev dependency, I am not sure how it is used in dubbo-admin. But I tried to remove it and build it, everything looks good. I think it can be removed. > 1. ./dubbo-admin-ui/node_modules/wordwrap/test/idleness.txt ➜ dubbo-admin-ui npm ls wordwrap [email protected] /Users/xxx/work/apache-dubbo/svn-release/dist/dev/incubator/dubbo/dubbo-admin/0.2.0/apache-dubbo-admin-incubating-0.2.0-src/dubbo-admin-ui ├─┬ [email protected] │ └─┬ [email protected] │ └── [email protected] └─┬ [email protected] └─┬ [email protected] └─┬ [email protected] └─┬ [email protected] └─┬ [email protected] └── [email protected] > 2 ./dubbo-admin-ui/node_modules/cliui/node_modules/wordwrap/test/idleness.txt ➜ dubbo-admin-ui npm ls cliui [email protected] /Users/xxx/work/apache-dubbo/svn-release/dist/dev/incubator/dubbo/dubbo-admin/0.2.0/apache-dubbo-admin-incubating-0.2.0-src/dubbo-admin-ui ├─┬ [email protected] │ ├─┬ [email protected] │ │ └─┬ [email protected] │ │ └─┬ [email protected] │ │ └── [email protected] │ └─┬ [email protected] │ └── [email protected] └─┬ [email protected] └─┬ [email protected] └── [email protected] > 3. ./dubbo-admin-ui/node_modules/node-notifier/vendor/snoreToast/LICENSE [email protected] /Users/xxx/work/apache-dubbo/svn-release/dist/dev/incubator/dubbo/dubbo-admin/0.2.0/apache-dubbo-admin-incubating-0.2.0-src/dubbo-admin-ui └── [email protected] [1] https://docs.npmjs.com/specifying-dependencies-and-devdependencies-in-a-package-json-file -- Best Regards! Huxing
