Add license validation
Closed this issue · 1 comments
ericcornelissen commented
ericcornelissen commented
After given this topic some thought, I've decided to move ahead with the following approach:
- Use Licensed for validating npm dependencies (#32)
- Use a custom script for validating non-npm dependencies from the SBOM (#60)
The reasoning being, similar to vulnerability auditing, the SBOM tool isn't the best at detecting npm dependencies, so using a tool better suited to that task makes more sense. I've chosen Licensed over licensee primarily because I want to give Licensed a try and have already used licensee in other projects.
More details about why the dependency-review-action and Fossa weren't chosen can be found in the respective Pull Requests.