Github user justinleet commented on a diff in the pull request:
https://github.com/apache/metron/pull/581#discussion_r118785519
--- Diff: metron-interface/metron-config/scripts/package.json ---
@@ -9,7 +9,8 @@
"http-proxy-middleware": "0.17.4",
"optimist": "0.6.1",
"serve-favicon": "2.4.2",
--- End diff --
So a quick glance suggests that bcrypt-pbkdf has 2 licenses, depending on
the version (see: https://registry.npmjs.org/bcrypt-pbkdf/). Specifically
1.0.0 has that banned BSD-4-Clause license, while 1.0.1 has the allowed 3
clause variant. For people like me less familiar with JS package management
tools, how can we verify that we do not have a transitive dependency that pulls
in 1.0.0? Given that this is the first one I looked at, are there any other
problematic dependencies?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
