Dependabot-core: Pull license data?

Created on 11 Sep 2018 · 5Comments · Source: dependabot/dependabot-core

There's a good chance that this doesn't make sense as a Dependabot feature, but here goes! 😃

I noticed that Snyk (which works slightly differently but I consider it in the same space as Dependabot) scans for dependency licenses to help ensure an organization uses licenses they know they comply with.

I can't really figure out a good way for Dependabot to add that sort of behavior, and it might be best if we just put something like Pivotal's LicenseFinder in our CI build and called it a day, but I just wanted to flag that some feature along these lines might make sense for Dependabot.

Source

JacobEvelyn

👍4 ❤1

Most helpful comment

we use https://github.com/pivotal-legacy/LicenseFinder to the same end

michaelglass on 29 Sep 2018

👍2

All 5 comments

Interesting, thanks @JacobEvelyn.

I was hoping some inspiration would come to me over the last week on this, but it hasn't. I'll continue chewing it over. We're about to overhaul the Dependabot dashboard, so there'll be a show pay for each repo that has details of all your dependencies. Appending license information to that show page, and telling you in the PR if the dependency's license has changed, seem like a good option to me.

greysteil on 18 Sep 2018

❤1 👍1

Yeah, I've chewed it over some more as well and it's just tricky to think about how this should work with Dependabot's model. But what you describe would be a great first version of this feature!

JacobEvelyn on 18 Sep 2018

we use https://github.com/pivotal-legacy/LicenseFinder to the same end

michaelglass on 29 Sep 2018

👍2

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.