Pm2: No GIT repo or license for gkt library
What's going wrong?
My legal department wants me to choose an alternate to pm2, because when it's installed it pulls down a library called gkt, which has no github repository and no associated LICENSE file.
How could we reproduce this issue?
1) npm install pm2
2) See the dependent library gkt.
3) See the 'npm info gkt' output showing it's owned by God, with no repository or license
Supporting information
Public companies have to perform audits of open source software, and make sure the licenses are appropriate for the intended use. Packages that include dependencies without license information, especially ones owned by God, raise flags in the legal department. We have no leverage to argue with legal, and are forced to look for pm2 alternates.
Suggest either
1) removing this dependency (even though it's optional, it's downloaded during an npm install), or
2) Find God, and ask her to put the module into github with a license file.
Please run the following command (available on PM2 >= 2.6)
$ pm2 report
n/a
lorenwest
All 10 comments
This dependency is just a fake one that we host ourselves to do some analytics about how much PM2 is downloaded, nothing alarming. I can definitely re-publish it with a MIT license since it doesn't do anything more if you want.
Also we can deliver PM2 with different licensing than AGPLv3 if needed (see https://github.com/Unitech/pm2#license)
vmarchaud
on 3 Feb 2018
I see. Yes, I was just asked to provide author and licensing info for all open source packages to legal, and God/no license didn't go over well with them. If it's not too much trouble, could you host the source in github with an MIT license file, and have the package.json file represent those changes? No problem keeping the dependency link a tarball to your site for analytics. Thank you so much, and I appreciate the hard work you put into this package!
lorenwest
on 3 Feb 2018
Oh I see PM2 is under GNU. No problem having gkt the same license as we don't re-distribute.
lorenwest
on 3 Feb 2018
Why was this closed? It still has no license file in it. I will be forced to remove PM2 by my legal team if there is no plan on adding a license to this package.
lorenwest
on 21 Feb 2018
Sorry, we created the corresponding repository : https://github.com/keymetrics/gkt
vmarchaud
on 21 Feb 2018
Excellent - thank you! The last step would be to have the zip file contain the contents of that repository (ie: the license file).
lorenwest
on 21 Feb 2018
We are gonna update it asap
vmarchaud
on 22 Feb 2018
I tried to update the package but quickly came to the conclusion that it will break a lot of build :
If you have pm2 in your package.json, when you install from a lock file (either yarn.lock or package-lock.json), it will register the dependency without tagging it as optional.
Since the lock file register the checksum, it will check on installation that it match the one registered and since it isn't tagged as optional, it fail the installation.
So we will need to find a way to update the archive without the problem ! Is it really necessary for you to have it upgraded ?
vmarchaud
on 22 Feb 2018
It's probably necessary from a legal perspective, but our legal team contacted our security team and we've subsequently been directed to remove PM2 from all projects in our company due to this .zip file.
Once our security team discovered that software is downloaded directly from your servers onto our servers, without going through a trusted intermediary (npmjs or github), they directed us to remove PM2 from our projects.
No offense, you're probably good guys, but it's too risky from a security perspective.
lorenwest
on 22 Feb 2018
And hearing that these lock files change an optional dependency into a required dependency means if your servers are down our build pipeline fails, even though we've gone to great lengths to replicate npmjs so if they go down it doesn't affect our delivery pipeline.
I wonder if you realize how bad this is?
lorenwest
on 22 Feb 2018
Related issues
liujb
路
3Comments
chaos-git
路
3Comments
alexpts
路
3Comments
FujiHaruka
路
3Comments
xzycn
路
3Comments
Most helpful comment
And hearing that these lock files change an optional dependency into a required dependency means if your servers are down our build pipeline fails, even though we've gone to great lengths to replicate npmjs so if they go down it doesn't affect our delivery pipeline.
I wonder if you realize how bad this is?