Hi sfc-devs, We're investigating a CLM violation on the node package tmp 0.0.16 [0] which accordingto CLM SFC is pulling in. The problem with this specific version of tmp is that it's GPL 2.0. Every version of tmp from 0.0.17 and onwards is MIT license which is fine so we're looking to figure out if SFC is really pulling in the 0.0.16 version of this bundle.
If you pull sfc-ui-bundle jar [1] however and inspect it's package.json file for tmp it says the version of tmp packaged is 0.0.23 which is an ok version for us. Is there anyone on the SFC team whom can help us investigate this to determine where 0.0.16 is being pulled in? Thanks, Thanh [0] https://clm.opendaylight.org/assets/index.html#/reports/distribution/8670358dbf074c03b57ee49a25c1da19 [1] https://nexus.opendaylight.org/content/repositories/opendaylight.release/org/opendaylight/sfc/sfc-ui-bundle/0.5.0-Carbon/
_______________________________________________ sfc-dev mailing list [email protected] https://lists.opendaylight.org/mailman/listinfo/sfc-dev
