This is an automated email from the ASF dual-hosted git repository.
wu-sheng pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/skywalking-horizon-ui.git
The following commit(s) were added to refs/heads/main by this push:
new c2eb874 release: declare unknown dep licenses via skywalking-eyes
config, not a bespoke file
c2eb874 is described below
commit c2eb8743ac72c36aba924ba959caa8801bf5a2e7
Author: Wu Sheng <[email protected]>
AuthorDate: Thu May 21 10:09:18 2026 +0800
release: declare unknown dep licenses via skywalking-eyes config, not a
bespoke file
Move the human-asserted license declaration into skywalking-eyes' native
`dependency.licenses` list in .licenserc.yaml — the standard mechanism for
deps whose package.json omits/mis-declares `license`. Single source of
truth,
honored by both `license-eye dependency check` and the binary-LICENSE
generator.
- collect-dist-licenses.mjs reads `dependency.licenses` from .licenserc.yaml
(supports exact `name@version` and bare `name`); drop
license-overrides.json.
- [email protected] -> MIT declared in .licenserc.yaml.
- Add `yaml` as a root devDependency for the script to parse the config.
Binary LICENSE/NOTICE reference unchanged (byte-identical); check passes
(231 packages, 0 unknown).
---
.licenserc.yaml | 10 ++++++
dist-material/release-docs/license-overrides.json | 4 ---
package.json | 10 ++++--
pnpm-lock.yaml | 3 ++
scripts/collect-dist-licenses.mjs | 37 +++++++++++++++++------
5 files changed, 48 insertions(+), 16 deletions(-)
diff --git a/.licenserc.yaml b/.licenserc.yaml
index ab40acf..489b30a 100644
--- a/.licenserc.yaml
+++ b/.licenserc.yaml
@@ -68,3 +68,13 @@ dependency:
excludes:
- name: '@skywalking-horizon-ui/*' # Self workspace packages
recursive: true
+ # Human-asserted licenses for bundled deps whose package.json omits or
+ # mis-declares `license`. This is skywalking-eyes' native unknown-license
+ # mechanism; it is ALSO consumed by scripts/collect-dist-licenses.mjs when
+ # it builds the binary tarball's LICENSE. Each entry MUST be verified
+ # against the package's own LICENSE/COPYING file (reproduced under
+ # dist/licenses/) before being added.
+ licenses:
+ - name: vue-grid-layout
+ version: 3.0.0-beta1
+ license: MIT # ships an MIT LICENSE file; package.json omits `license`
diff --git a/dist-material/release-docs/license-overrides.json
b/dist-material/release-docs/license-overrides.json
deleted file mode 100644
index a41c71b..0000000
--- a/dist-material/release-docs/license-overrides.json
+++ /dev/null
@@ -1,4 +0,0 @@
-{
- "_comment": "Human-asserted SPDX license for bundled deps whose package.json
omits or mis-declares the `license` field. Each entry MUST be verified against
the package's own LICENSE/COPYING file (reproduced under dist/licenses/) before
being added. Keyed by `name@version`.",
- "[email protected]": "MIT"
-}
diff --git a/package.json b/package.json
index e7c233a..608b36e 100644
--- a/package.json
+++ b/package.json
@@ -25,10 +25,16 @@
"start": "HORIZON_CONFIG=${HORIZON_CONFIG:-./horizon.yaml} node
dist/server.js"
},
"devDependencies": {
- "typescript": "~5.6.3"
+ "typescript": "~5.6.3",
+ "yaml": "^2.9.0"
},
"pnpm": {
- "onlyBuiltDependencies": ["argon2", "esbuild", "@parcel/watcher",
"vue-demi"],
+ "onlyBuiltDependencies": [
+ "argon2",
+ "esbuild",
+ "@parcel/watcher",
+ "vue-demi"
+ ],
"overrides": {
"dompurify@<3.3.2": ">=3.3.2"
}
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 1a735e3..f9cee93 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -14,6 +14,9 @@ importers:
typescript:
specifier: ~5.6.3
version: 5.6.3
+ yaml:
+ specifier: ^2.9.0
+ version: 2.9.0
apps/bff:
dependencies:
diff --git a/scripts/collect-dist-licenses.mjs
b/scripts/collect-dist-licenses.mjs
index 9d341de..d9c3f53 100644
--- a/scripts/collect-dist-licenses.mjs
+++ b/scripts/collect-dist-licenses.mjs
@@ -58,6 +58,7 @@ import {
} from 'node:fs';
import { dirname, join, relative, resolve } from 'node:path';
import { fileURLToPath } from 'node:url';
+import { parse as parseYaml } from 'yaml';
const __dirname = dirname(fileURLToPath(import.meta.url));
const repoRoot = resolve(__dirname, '..');
@@ -146,20 +147,36 @@ function collectPackages() {
}
// Human-asserted SPDX licenses for deps whose package.json omits or
-// mis-declares `license`. Verified against each package's own LICENSE file.
+// mis-declares `license`. Single source of truth is skywalking-eyes'
+// native `dependency.licenses` list in .licenserc.yaml — so the same
+// declaration drives both `license-eye dependency check` and this binary
+// LICENSE generator. Keyed by `name@version` (exact) and bare `name`
+// (any version); the exact key wins.
const licenseOverrides = (() => {
- const p = join(templatesDir, 'license-overrides.json');
- if (!existsSync(p)) return {};
+ const exact = new Map();
+ const anyVersion = new Map();
+ const p = resolve(repoRoot, '.licenserc.yaml');
try {
- const { _comment, ...rest } = JSON.parse(readFileSync(p, 'utf8'));
- void _comment;
- return rest;
- } catch (e) {
- console.warn(`WARN: cannot parse ${p}: ${e.message}`);
- return {};
+ const cfg = parseYaml(readFileSync(p, 'utf8'));
+ for (const e of cfg?.dependency?.licenses ?? []) {
+ if (!e?.name || !e?.license) continue;
+ if (e.version) exact.set(`${e.name}@${e.version}`, e.license);
+ else anyVersion.set(e.name, e.license);
+ }
+ } catch (err) {
+ console.warn(`WARN: cannot read dependency.licenses from ${p}:
${err.message}`);
}
+ return { exact, anyVersion };
})();
+function overrideFor(name, version) {
+ return (
+ licenseOverrides.exact.get(`${name}@${version}`) ??
+ licenseOverrides.anyVersion.get(name) ??
+ null
+ );
+}
+
function normalizeLicense(pkgJson) {
const lic = pkgJson.license;
if (typeof lic === 'string') return lic;
@@ -210,7 +227,7 @@ const noticePieces = [];
for (const pkg of packages) {
const pj = readPkgJson(pkg.path);
if (!pj) continue;
- const license = licenseOverrides[`${pkg.name}@${pkg.version}`] ??
normalizeLicense(pj);
+ const license = overrideFor(pkg.name, pkg.version) ?? normalizeLicense(pj);
const homepage = pj.homepage || pj.repository?.url || pj.repository || '';
const entry = {
name: pkg.name,
