Skip to content

chore(deps): remove license-checker-rseidelsohn and replace with GH action#1488

Open
guoda-puidokaite wants to merge 21 commits intomainfrom
guoda-dep-lisence-check
Open

chore(deps): remove license-checker-rseidelsohn and replace with GH action#1488
guoda-puidokaite wants to merge 21 commits intomainfrom
guoda-dep-lisence-check

Conversation

@guoda-puidokaite
Copy link
Contributor

@guoda-puidokaite guoda-puidokaite commented Feb 26, 2026
edited
Loading

Summary

Changes Made

  • Removed as license-checker-rseidelsohn from pnpm dependencies as it's not regularly maintained and introduced high vulnerabilities (in ticket description).
  • Introduced a GH action step instead which checks that pnpm libraries installed use supported licences

Note: We're following the official guidance from the OSPO office and only "Permitted/Low Risk" dependencies. See OSPO Wiki.

Example:

The following dependencies have incompatible licenses:
pnpm-lock.yaml » @img/sharp-libvips-linuxmusl-x64@1.2.4 – License: BSD-2-Clause AND LGPL-2.0-only AND LGPL-2.1-only AND LGPL-3.0-only AND LGPL-3.0-or-later AND MIT AND MPL-2.0
Screenshot 2026-03-02 at 14 15 12

Related Issues

Closes #1436

Testing Instructions

Please double check supported licences are correct.
You can test by introducing an unsupported licence (as discussed in our team meeting on Friday). However, the test here I should be sufficient.

Checklist

  • I have performed a self-review of my code.
  • I have commented my code, particularly in hard-to-understand areas.
  • I have added tests that prove my fix is effective or that my feature works.
  • New and existing unit tests pass locally with my changes.
  • I have made corresponding changes to the documentation (if applicable).
  • My changes generate no new warnings or errors.
  • I have created a changeset for my changes.

PR Manifesto

Review the PR Manifesto for best practises.

@guoda-puidokaite guoda-puidokaite self-assigned this Feb 26, 2026
@changeset-bot
Copy link

changeset-bot bot commented Feb 26, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 529fa7a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@guoda-puidokaite guoda-puidokaite changed the title remove lisence check npm dep and introduce gh action feat(task): remove license-checker-rseidelsohn and replace with GH action Feb 26, 2026
@guoda-puidokaite guoda-puidokaite linked an issue Feb 26, 2026 that may be closed by this pull request
[Task](juno): Fix high and medium vulnerabilities #1436
Open
@guoda-puidokaite guoda-puidokaite changed the title feat(task): remove license-checker-rseidelsohn and replace with GH action feat(chore): remove license-checker-rseidelsohn and replace with GH action Feb 26, 2026
@guoda-puidokaite guoda-puidokaite changed the title feat(chore): remove license-checker-rseidelsohn and replace with GH action chor(deps): remove license-checker-rseidelsohn and replace with GH action Feb 26, 2026
@guoda-puidokaite guoda-puidokaite changed the title chor(deps): remove license-checker-rseidelsohn and replace with GH action chore(deps): remove license-checker-rseidelsohn and replace with GH action Feb 26, 2026
@guoda-puidokaite guoda-puidokaite marked this pull request as ready for review March 2, 2026 13:29
@guoda-puidokaite guoda-puidokaite requested a review from a team as a code owner March 2, 2026 13:29
guoda-puidokaite
guoda-puidokaite commented Mar 2, 2026
View reviewed changes
package.json
"lint": "turbo run lint",
"test": "turbo run test",
"typecheck": "turbo run typecheck",
"check-licenses": "npx license-checker-rseidelsohn --summary --excludePackages='spawndamnit@3.0.1' --excludePrivatePackages --onlyAllow 'MIT;ISC;Apache-2.0;BSD-2-Clause;BSD-3-Clause;BSD-4-Clause;CC-BY-3.0;CC-BY-4.0;BlueOak-1.0.0;CC0-1.0;0BSD;Python-2.0;BSD*;Unlicense'",
Copy link
Contributor Author

@guoda-puidokaite guoda-puidokaite Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should Unlicense really be allowed (as in old check)? I think it should be removed?

Copy link
Contributor Author

@guoda-puidokaite guoda-puidokaite Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, by docs, we need to remove this.

Copy link
Collaborator

@ArtieReus ArtieReus Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't remember why we introduce it. But I remember we had to introduce so some packages could go through...

Copy link
Contributor Author

@guoda-puidokaite guoda-puidokaite Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rule is "No license - no rights". So just want to understand the context here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ArtieReus ArtieReus ArtieReus left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

@guoda-puidokaite guoda-puidokaite

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Task](juno): Fix high and medium vulnerabilities

2 participants

@guoda-puidokaite @ArtieReus