The "goober-autoprefixer" package is missing a license causing corporate component governance audits to fail
codylindley opened this issue · 5 comments
The internal package called,"goober-autoprefixer" is the name of a published npm packaged, called: "goober-autoprefixer".
This package it seems is internal to goober, but for some reason also published. i.e. it is not actually a dependency of goober e.g. https://npmgraph.js.org/?q=goober
However, upon security reviews that npm package is flagged because it lacks a license. i.e. https://clearlydefined.io/?sort=releaseDate&sortDesc=true&name=goober-autoprefixer
Would it be possible for you to add your goober MIT license to this directory (prefixer/src/) and publish the public "goober-autoprefixer" to npm and also update goober so the license is within the internal directory (prefixer/src/).
Am I making sense?
Thanks, Cody
Hey @codylindley,
Thanks for opening this issue. The goober-autoprefixer is an old package that used to be how I've managed to publish agnostic(ish) packages to be used for certain functionality. Now, everything is part of the main dependency and there is no prefixer package anymore but rather a nested plugin.
import { setup } from 'goober';
import { prefix } from 'goober/prefixer';More info here https://github.com/cristianbote/goober/tree/master/prefixer#how-to-use-it
Does this answer your questions about licensing?
Thanks for the reply. Nods. Totally understood that this had become a nested packaged. But because it is also a published package it needs a license to make compliance tools happy in both places. So if you are willing I see three choices to make goober viable for use in places that do legal audits.
- Rename the internal nested package
- Eliminate the package.json of the internal nested package, thus eliminating the name
- Add the same license you use in goober to the nested package and to the published npm package.
Do those options make sense? Any of them sit ok with you?
Thanks, Cody
Oh, ok now I get it. I don't think it'll be any issue to add the LICENSE to goober-autoprefixer package and publish it under a new version with it, so I'll do point number 3.
Keep you posted.
Hey @codylindley,
Published a new version 1.2.3 with the MIT license attached. Please let me know if there's anything else that I need to be doing.
Thanks again for opening this issue and giving me clear information. Much appreciated.
Thank you! Really appreciate you doing this. :) Cheers.