Remove GPL License from upstream packages

Question

Remove GPL License from upstream packages

michaelfarrell76 opened this issue 5 years ago · 10 comments

When adding a downstream dependency strong-soap I was getting a warning because adm-zip had GPL code and this fails our license check preventing us from using this package. Since then, the GPL code has been removed but the package tree needs to be updated. I've traced this update and I believe that cldr-data is the next package that needs to be updated in this process, followed by globalize and then finally strong-globalize

At the root, adm-zip is the issue. This package has been updated to remove GPL code and any version above 0.4.12 no longer has this warning.
cldr-data-downloader is the next culprit any looking at version 0.3.5 now has adm-zip at 0.4.13 and so this package is no longer an issue
Next level is this cldr-data which currently pings to 0.3.x of cldr-data, so it is unclear to me whether this package has been published with a more recent version with the bumped adm-zip. I've opened an issue in the cldr-data package asking them to bump this version in case it has not already been bumped.
Next is the globalize package that relies on cldr-data and cldr-data-downloader. I've opened an issue here to ask them to bump these versions

Proposal

After globalize has been updated, bump the version of globalize for this package
Publish a new patch or minor version of this module with the updated versions that no longer have GPL license code

Answer 1 · 2020-06-03T19:54:58.000Z

@michaelfarrell76 Thank you for the report. I'll watch the upstream fixes so that we can take it out.

Answer 2 · 2020-06-03T19:57:46.000Z

@michaelfarrell76 strong-globalize itself doesn't have a transitive dependency on adm-zip based on npm ls.

Answer 3 · 2020-06-03T19:59:15.000Z

The only dependency I see is as follows:

strong-globalize/packages/util
└─┬ cldr-data@36.0.0
  └─┬ cldr-data-downloader@0.3.5
    └── adm-zip@0.4.11

But the util is an internal package to download latest cldr-data. It's not published to npm at all.

Answer 4 · 2020-06-03T20:02:24.000Z

thanks for the speedy response! maybe this means that if strong-soap updated its version of strong-globalize this issue would go away. other issue for reference: loopbackio/strong-soap#285

Answer 5 · 2020-06-03T20:04:20.000Z

confusingly though it seems like strong-soap is pointing to strong-globalize 4.1.3
but the current package.json says 4.0.0 so here was where i got a bit lost tracing this upstream/downstream

Answer 6 · 2020-06-03T20:05:48.000Z

ahhh, so the npm ls you gave me still has the GPL issue. if you look at the last commit of adm-zip@0.4.11 you can see that it has a GPL license: https://github.com/cthackers/adm-zip/blob/f5310b54e04b766d26580fda6d0351df5ed26f9c/methods/deflater.js

Answer 7 · 2020-06-03T20:10:34.000Z

confusingly though it seems like strong-soap is pointing to strong-globalize 4.1.3
but the current package.json says 4.0.0 so here was where i got a bit lost tracing this upstream/downstream

You need to look at https://github.com/strongloop/strong-globalize/blob/master/packages/runtime/package.json.

Answer 8 · 2020-06-03T20:11:25.000Z

ahhh, so the npm ls you gave me still has the GPL issue. if you look at the last commit of adm-zip@0.4.11 you can see that it has a GPL license: https://github.com/cthackers/adm-zip/blob/f5310b54e04b766d26580fda6d0351df5ed26f9c/methods/deflater.js

No. I was telling you that util is an internal module for development time use only. It's NOT a dependency of strong-globalize.

Answer 9 · 2020-06-03T20:12:05.000Z

Based on my analysis, there is NO runtime dependency of adm-zip for strong-globalize.

Answer 10 · 2020-06-03T20:13:48.000Z

sweet, thanks so much for helping me understand the package tree here @raymondfeng !