Complicated license dependency

Question

Complicated license dependency

bencao opened this issue 6 years ago · 3 comments

Currently one of the dependency for read-pkg is normalize-package-data(BSD-2-Clause), and it has further dependencies to spdx-correct(MIT), which has further dependencies to:

├─ CC-BY-3.0
│  └─ spdx-exceptions@2.1.0
│     ├─ URL: https://github.com/kemitchell/spdx-exceptions.json.git
│     └─ VendorName: The Linux Foundation
├─ CC0-1.0
│  └─ spdx-license-ids@3.0.0
│     ├─ URL: https://github.com/shinnn/spdx-license-ids.git
│     ├─ VendorName: Shinnosuke Watanabe
│     └─ VendorUrl: https://github.com/shinnn

this made the license affairs really complicated, especially for cases like people working in big enterprises trying to open source some of their work.

Any possibility to simplify the dependency by eliminating the dependency on normalize-package-data?

Answer 1 · 2019-03-14T09:30:00.000Z

Why is this complicated?

Answer 2 · 2019-03-14T09:30:21.000Z

The normalize-package-data package is used by npm itself too.

Answer 3 · 2019-03-15T15:11:10.000Z

Just did a search for implications of those licenses more carefully, seems it's ok, I'll close the issue for now.
Generally, if we can keep the number of licenses involved lower the evaluation could be easier, thank you.