Add 'licensed' tool to help verify the licenses of dependencies.
Opened this issue · 1 comments
codewithtyler commented
GitHub has a tool called licensed which helps us to verify that the node modules we are using are appropriately licensed for what we are using them for. It also helps to verify that the license a node module claims to be under matches the license it uses.
I'm wanting to contribute to the library, how does this impact me?
- You may need to locally install licensed and run
licensed cache
to update the dependency cache if you install a new production dependency.- If
licensed cache
is unable to determine the dependency, you may need to modify the cache file yourself to put the correct license.
- If
- You should still verify the dependency, licensed in a tool to help, but is not a substitute for human review of dependencies
How do we support adding 'licensed'?
We will need to create a PR containing the following changes:
- A workflow to check licenses on pull requests and pushes to the
main
branch - A
licensed.yml
file used to configurelicensed
- A number of files into the
.licenses
directory which contain our dependencies and their appropriate licenses
Sources
The information found above was provided by thboop in this PR made to the action/stale repo. His PR can be used as a reference to perform this work.
codewithtyler commented
Due to the work completed in PR #52 the Licensed tool now runs but says it can't find any dependencies. The next thing we'll need to do is figure out how to get it to recognize our dependencies. Once that is working this task should be complete.