Berry: [Question] licenses and generate-disclaimer

Hello 👋

We felt like those commands had a too fringe use case to be part of the core offering. Additionally there are various ways such tools could be expanded and configured, and trying to support them (and keep up with feature requests) would put an unwanted additional burden on our team.

The good news is, those commands are exactly the kind of thing we had in mind when designing the plugin API, so it's entirely possible to implement them in userspace (and share your implementation with the community if you so wish).

The plugin documentation is admittedly a bit sparse at the moment as we're working on improving that. In the meantime, you can check the plugin tutorial on the website and the plugin sources in this repo to get an idea of how it works.

Hi again!

Thanks for your fast response. I had a look at the codebase unfortunately I do not really understand how to achieve the following thing:

Get all dependencies for a given package.json including deep dependencies including the metadata (license, version, ...). Can you give me a tip? Consider that yarn classic had an issue with workspaces: https://github.com/yarnpkg/yarn/issues/5174 - is this resolved in berry? I dived into this a bit deeper and the following code snippet gives me all dependencies if I run it inside a package (also respects workspaces):

import { resolve } from "path";

class ProductionDependencies {
    private all: string[] = [];

    constructor(packageJsonPath: string) {
        this.fetchAll(Object.keys(require(packageJsonPath).dependencies));
    }

    public fetchAll(deps: string[]) {
        for (const dep of deps) {
            if (this.all.indexOf(dep) === -1) {
                // eslint-disable-next-line @typescript-eslint/no-var-requires
                const pkg = require(require.resolve(`${dep}/package.json`));
                this.fetchAll(Object.keys(pkg.dependencies || [])); // devDependencies is not needed for license check and disclaimer
                console.log(pkg.name, pkg.license || pkg.licenses || "UNKNOWN");
            }
        }
        this.all.push(...deps);
    }
}

new ProductionDependencies(resolve("./package.json"));

I am thinking of creating a public package - I also do not promise if I create the package because perhaps someone maintaining a similar package is open to create a yarn plugin. I do not know yet if it will be a yarn plugin or a standalone package so it can be used with npm, too. The most important part for me is the workspace-compatibility.

So, I will note further things in this issue (just for myself, perhaps it can be interesting for others):

1. Obtain a list of all dependencies with their metadata of a package.json (see above code snippet)
2. Configure a whitelist for packages and skip their license check ["[email protected]"]: string[]
3. Configure a whitelist for allowed licenses (string[]) for the license check
4. Check the license meta and fallback to UNKNOWN
5. If the found license is not UNKNOWN:
   
   
   
   1. Check if license starts with ( and pass it through spdx-expression-parse. Afterwards do the license check based on the parsed expression
   
   
   2. Otherwise check if license is a string[] and if not, parse it to a string[]
   
   
   3. Pass the license array to spdx-correct and do the license check based on the result
   
   
6. Otherwise obtain the license from other files (mark "guess" with e. g. MIT*, and print a warning)
   
   
   
   1. scripts/generate-licenses-js.js generates a list of unique parts of LICENSE texts so they can be infered when package.json#license cannot be resolved correctly. The generated RegEx parts are found here: scripts/licenses
   
   
   2. src/util/normalize-manifest/infer-license.js is the programmatically way to infer a license from a string (e. g. LICENSE, NOTICE, COPYING or README file)
   
   
7. Throw an error of not found licenses. The developer has three options to correct the issue
   
   
   
   • Add the package to the whitelist for packages (the developer opts-in to skip that license)
   
   
   • Contact the developer of the package and ask to create a valid license in their package.json file
   
   
   • Contribute to this package' compat table
   
   
8. Throw an error if license check failed for a package. The developer has three options:
   
   
   
   • Add the license of the package to the allowed licenses
   
   
   • Add the package to the whitelist for packages (the developer opts-in to skip that license)
   
   
   • Search an alternative package
   
   

The generate-disclaimer I think is more easier, but I will dive into this later.

This are just thoughts how it can be implemented - I got inspired by the already implemented yarn licenses list and license-checker.

I've just pushed up a plugin that adds yarn licenses: https://github.com/mhassan1/yarn-plugin-licenses

It only does yarn licenses list right now, inspired by Yarn v1. We can add more commands in the future. Also, it only works with the latest Berry sources from master (it uses treeUtils), so it's not quite production ready.

Check it out and let me know if you have any feedback.

@arcanis I've written a plugin that provides yarn licenses list: https://github.com/mhassan1/yarn-plugin-licenses. Assuming there's interest in the community, what would be the best way to share it?

I think we should add a "community plugins" page on the website to list those 🤔

Did you have something in mind? I'd be happy to contribute that to the website, but I'm not sure where you would want it, or how you would want to manage it.