Add license validation

Question

Add license validation

Closed this issue 2 years ago · 1 comments

Add continuous validation of the licenses of dependencies used by this project. This should make sure no dependency is introduces that's incompatible with this project's license.

This could potentially be built on the SBOM that is already being generated.

Answer 1 · 2022-10-28T16:56:29.000Z

After given this topic some thought, I've decided to move ahead with the following approach:

Use Licensed for validating npm dependencies (#32)
Use a custom script for validating non-npm dependencies from the SBOM (#60)

The reasoning being, similar to vulnerability auditing, the SBOM tool isn't the best at detecting npm dependencies, so using a tool better suited to that task makes more sense. I've chosen Licensed over licensee primarily because I want to give Licensed a try and have already used licensee in other projects.

More details about why the dependency-review-action and Fossa weren't chosen can be found in the respective Pull Requests.