Gutenberg: Ensure that all node modules used in production build are GPLv2+ compatible
With Guteneberg requiring almost 300 different node modules, we need to make sure anything that gets shipped to our end users is licensed in a GPL compatible way.
Using license-checker to look at all this:
$ license-checker --summary --production
鈹溾攢 MIT: 221
鈹溾攢 ISC: 35
鈹溾攢 BSD-2-Clause: 6
鈹溾攢 Apache-2.0: 5
鈹溾攢 BSD-3-Clause: 5
鈹溾攢 BSD: 3
鈹溾攢 GPL-2.0+: 2
鈹溾攢 Custom: https://s.w.org/style/images/codeispoetry.png: 2
鈹溾攢 Apache License, Version 2.0: 2
鈹溾攢 GPL-3.0: 1
鈹溾攢 Custom: https://make.wordpress.org/design/handbook/design-guide/browser-support/: 1
鈹溾攢 CC0-1.0: 1
鈹溾攢 Custom: https://codex.wordpress.org/I18n: 1
鈹溾攢 Custom: https://google.com: 1
鈹溾攢 BSD*: 1
鈹溾攢 GPL-2.0*: 1
鈹溾攢 (WTFPL OR MIT): 1
鈹溾攢 Custom: https://make.wordpress.org/accessibility/2015/04/15/let-wordpress-speak-new-in-wordpress-4-2/: 1
鈹溾攢 (MIT AND CC-BY-3.0): 1
鈹溾攢 Unlicense: 1
鈹斺攢 (GPL-2.0 OR MIT): 1
The Apache-2.0 licensed isn't compatible with GPL v2, so we will need to find replacements for, convince them to update their license, or ensure they aren't included in the production build:
[email protected] Apache-2.0
eslint-visitor-keys Apache-2.0
mousetrap Apache-2.0
rx-lite Apache License, Version 2.0
rx-lite-aggregates Apache License, Version 2.0
spdx-correct Apache-2.0
validate-npm-package-license Apache-2.0
Also, there is one GPL3 module
dom-react GPL-3.0
This isn't exhaustive and we likely need to go through each submodule by hand to ensure we don't inadvertently include something like code mirror's jshint file (which core did).
aaronjorbin
All 10 comments
Pretty sure Apache, BSD & MIT can become GPL, just not the other way. Also, WP has had MIT code in the past I'm sure.
Lewiscowles1986
on 30 Apr 2018
AFAIK WP is GPL 2+, so GPL 3 code is more of a problem due to threat against TiVo (more WP.com concern). IANAL though
Lewiscowles1986
on 30 Apr 2018
MIT, BSD, ISC and the CC licenses are fine, which is why I only highlighted the Apachev2 and GPL3 modules.
Apache v2 isn't GPL2 compatible. https://www.gnu.org/licenses/license-list.html#apache2
GPL3 isn't GPL2 compatible: https://www.gnu.org/licenses/license-list.en.html#GNUGPL
aaronjorbin
on 30 Apr 2018
Whee, thanks for the summary, @aaronjorbin.
How did you generate that list of packages? It seems like it's included some that shouldn't be there.
doctrine: included as a dependency of eslint-plugin-import, which is a dependency of react-datepicker. Later version of react-datepicker remove this dependency, so upgrading appears to be a simple solution.
eslint-visitor-keys, rx-lite, rx-lite-aggregates: these are dependencies (or sub-dependencies) of eslint, which is a devDependency. I don't know why they're listed.
mousetrap: This is a direct dependency, and will need to be replaced.
spdx-correct, validate-npm-package-license: These are sub-dependencies of node-sass, which is a devDependency.
dom-react: The contributors to this module are @iseulde and @aduth, who I hope would agree to re-license it as GPLv2. 馃槈
pento
on 1 May 2018
@pento Thanks so much for investigating further.
I used https://github.com/davglass/license-checker, specificlly license-checker --summary --production to get the list of liscenses and then license-checker --production --exclude 'MIT,ISC,BSD-2-Clause,BSD-3-Clause,BSD,GPL-2.0+,GPL-2.0*' to get the other packages.
I think it might be worthwhile to automate this is in some way and also make it more reliable.
aaronjorbin
on 1 May 2018
FYI: validate-npm-package-license is also a dependency of init-package-json which is a dependency of npm, to which I just ran the license-checker against npm itself:
mkdir tmp && cd tmp && npm i npm --save
npx license-checker --summary --production
npx: installed 739 in 12.253s
鈹溾攢 MIT: 232
鈹溾攢 ISC: 98
鈹溾攢 BSD-2-Clause: 13
鈹溾攢 MIT*: 11
鈹溾攢 BSD-3-Clause: 10
鈹溾攢 Apache-2.0: 8
鈹溾攢 Artistic-2.0: 4
鈹溾攢 CC0-1.0: 3
鈹溾攢 (WTFPL OR MIT): 3
鈹溾攢 ISC*: 2
鈹溾攢 Custom: https://travis-ci.org/ember-cli/ember-cli.svg: 1
鈹溾攢 (MIT OR Apache-2.0): 1
鈹溾攢 Apache 2.0: 1
鈹溾攢 (BSD-2-Clause OR MIT OR Apache-2.0): 1
鈹溾攢 AFLv2.1,BSD: 1
鈹溾攢 (BSD-2-Clause OR MIT): 1
鈹溾攢 CC-BY-3.0: 1
鈹斺攢 Unlicense: 1
Because npm itself depends upon 8 packages that are Apache-2.0 licensed does that make npm itself not compatable with the GPLv2+ and prevents us from using npm at all?
ntwb
on 1 May 2018
I agree this should be automated. npm ls --production is probably a good starting point, I can put together a command to use that.
We can use npm, because npm is a build tool, it's not a library we distribute.
pento
on 1 May 2018
Who loves piping commands? We love piping commands!
$ npm ls --production --parseable | xargs -I {} jq --raw-output '.name + " " + ( .license // .licenses[0].type )' '{}/package.json' | ack -v '^.* .*(MIT|GPL-2|ISC|BSD|CC0).*$'
dom-react GPL-3.0
mousetrap Apache-2.0
validate-npm-package-license Apache-2.0
spdx-correct Apache-2.0
spdx-license-ids Unlicense
After upgrading react-datepicker to 1.4.1 and showdown to 1.8.6 (but not actually testing if they work), I get:
dom-react GPL-3.0
mousetrap Apache-2.0
react-datepicker and showdown have been upgraded, their dependencies are no longer causing issues.
dom-react has been relicensed as GPL2+, and will be upgraded when a new version is released.
I've asked the mousetrap author if they'd be willing to relicense (or dual license). We can wait and see for that.
pento
on 3 May 2018
Sounds like this is covered now. Please, reopen if not.
mtias
on 22 Jun 2018
Related issues
ellatrix
路
3Comments
maddisondesigns
路
3Comments
mhenrylucero
路
3Comments
JohnPixle
路
3Comments
aduth
路
3Comments
Most helpful comment
Who loves piping commands? We love piping commands!
After upgrading
react-datepickerto 1.4.1 andshowdownto 1.8.6 (but not actually testing if they work), I get: