Cli: [BUG] Hippocratic license incorrectly identified as invalid SPDX expression

Created on 26 Aug 2020  ·  8Comments  ·  Source: npm/cli

What / Why

Packages using the Hippocratic License output the following warning when installed:

npm WARN [package name] license should be a valid SPDX license expression

Where

This has been tested on numerous repos using the valid Hippocratic-2.1 license expression, all with the same npm warning. This occurred on earlier verions of node, but also when upgrading to the latest 14.8.0 & npm 6.14.7.

How

Steps to Reproduce

  1. git clone any repo with the Hippocratic license
  2. npm install

Expected Behavior

The Hippocratic License is a valid license, listed in the SPDX license list with the expression Hippocratic-2.1. This should be recognised by npm's license parser and should not produce a warning.

References

picture CodeMacabre
👍1

Most helpful comment

I am happy to move the package into @jslicense, but people come first, code second.

@CodeMacabre you mentioned @shinnn's absence. Do you know if he's okay, or needs support? I haven't been able to reach him.

picture kemitchell on 31 Aug 2020
2

All 8 comments

This is dependent on https://github.com/shinnn/spdx-license-ids/pull/19 being merged and then eventually https://github.com/kemitchell/validate-npm-package-license.js getting updated.

SneakyFish5 picture SneakyFish5 on 26 Aug 2020

Thanks @SneakyFish5, that's opened my eyes to the fact that there's a bit of a larger issue here in that npm licensing is dependent on the spdx-license-ids package being kept up-to-date, which is managed by a lone maintainer. This single point of failure is clearly a bit of a bottleneck as it appears there are PRs going back to Feb that haven't been merged and the repo's last update was 14 months of go at time of writing.

@kemitchell makes a very good suggestion in his PR of either others being added to this repo (which may not be possible given @shinnn's absence), or moving the repo to an organisation. Perhaps a fork of his repo and maintaining elsewhere is a more suitable option?

How would we even go about this given the 5 million+ dependents? To keep the scope focused here, I'm retracting this final musing. The issue at hand is npm's use, not the other 5 million.

CodeMacabre picture CodeMacabre on 31 Aug 2020

I am happy to move the package into @jslicense, but people come first, code second.

@CodeMacabre you mentioned @shinnn's absence. Do you know if he's okay, or needs support? I haven't been able to reach him.

kemitchell picture kemitchell on 31 Aug 2020
2

people come first, code second

100% agree and no, unfortunately I'm new to this whole situation and looking at the history it looks like @shinnn has disappeared as of November 2019 and their website appears to be down. I don't know who they are but I'm also concerned, particularly given the current climate.

If anyone does know them, please do ping us; I'd be willing to support any way I can.

CodeMacabre picture CodeMacabre on 31 Aug 2020

https://www.npmjs.com/package/spdx-license-identifiers

All the intermediate packages are mine. But I'm out of time for today.

kemitchell picture kemitchell on 31 Aug 2020

This is dependent on jslicense/spdx-license-ids#19 being merged and then eventually https://github.com/kemitchell/validate-npm-package-license.js getting updated.

@kemitchell I can see spdx-license-ids has been updated but Hippocratic-2.1 doesn't appear to be recognised as valid yet. Does validate-npm-package-license.js need updating too?

CodeMacabre picture CodeMacabre on 16 Oct 2020

[email protected] is shipping [email protected], which has Hippocratic-2.1. Check your npm version?

kemitchell picture kemitchell on 16 Oct 2020
👍1

🤦🏼‍♂️ That would explain it. Thank you!

CodeMacabre picture CodeMacabre on 17 Oct 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

zypA13510 picture zypA13510  ·  4Comments
dr-js picture dr-js  ·  3Comments
millerick picture millerick  ·  3Comments
CliffS picture CliffS  ·  3Comments
billop picture billop  ·  3Comments