Vue-cli: Remove the four npm dependencies of which use software licenses that violate the tenets of open source and are incompatible with parent MIT licensed modules.
What problem does this feature solve?
The following four deeply nested dependencies use DBAD licenses, which are incompatible with MIT Licenses, due to the fact that they state that a pint is owed to the maintainer of these modules if significant amount of wealth is made off of software that uses these modules.
Whether or not this is what the maintainer intended, the license implies that not sharing a pint with the maintainer is a direct violation of the license.
https://github.com/RIAEvangelist/node-ipc
https://github.com/RIAEvangelist/js-queue
https://github.com/RIAEvangelist/js-message
https://github.com/RIAEvangelist/easy-stack
I would like to recommend to the entire Vue.js community, that we take a stance similar to the one that Apache takes on nonsensical licenses:
Nonsensical licenses
These licenses while amusing to their creators are legally problematic. They often include subjective Field of use restrictions e.g. “Don’t be evil” with no arbiter for that subjective restriction defined. In some cases they may not even grant sufficient rights to conform to the OSI open source definition. Since we do not wish to surprise our downstream consumers we forbid the use of such licenses.
I am aware that there are a large amount of libraries used by the node.js community that have these modules as dependencies - however, I think this is due to unawareness not by choice. I am not suggesting we convince the entire node.js community to discontinue usage of these libraries, however I would like to encourage at least the Vue community look into finding out what options we have.
Everything I am saying is out of pure individual interest. I am not an informed lawyer. I do not represent the views of a company.
Licenses such as DBAD will cause useful libraries to be avoided by entire companies so as to steer clear of what is implied by the DBAD license terms.
If we can come up with a solution, we can benefit the community in two main ways:
1) Increase the amount of adoption of the Vue.js framework and all of its associated tools (For the companies that would only consider seriously adopting the framework if they also adopted usage of the vue-cli)
2) Remove the risk of legal implications and public embarrassment of lawsuits that could possibly occur over the terms that are implied in the DBAD license text.
Again- I do not represent the views of a company nor of a lawyer.
My main goal is to increase the adoption and usage of Vue.js and the Vue-cli.
If there is a better forum to bring this issue to the attention of the community, can someone help me do so? I have never had to do something like this before.
What does the proposed API look like?
There is no API for this feature request. I was not sure if this should be opened as a Bug Report or Feature Request since those are the only two options on this form.
Regarding the approaches we could take to mitigate this problem:
1) Ask the maintainer to change the license of these four modules himself
I know of one individual who asked already, and the maintainer didn't seem to want to drop the DBAD license completely. I'm not sure if the maintainer will listen if the entire community chimes in.
2) Ask the maintainer to dual license. If the maintainer wants to be able to make a statement with the DBAD license, he will still be able to do so - however adding a second license like the MIT license will remove the risk that is currently imposed on the rest of the community
3) Get the Vue-cli community to investigate and develop different solutions to our problems. If it comes to it, the only way to get away from using the software in these modules may be to remove the current usage of those for modules with the DBAD license. Other solutions will have to be considered.
The downside of this last approach, is that finding alternative solutions may in fact be difficult.
ghost
All 18 comments
@sodatea Thanks a ton for putting this on your radar
ghost
on 2 Oct 2018
@sodatea Unfortunately it appears that the original maintainer really doesn't want to change their license away from DBAD to MIT or some other approved license. ( https://github.com/RIAEvangelist/node-ipc/issues/133 )
Is it even feasible to have a future version of vue/cli drop those four modules as dependencies?
ghost
on 11 Nov 2018
So I've just run into this exact same problem in the same circumstances. It looks like the 4 repos are a dependency of node-ipcwhich in itself is a dependancy of @vue/cli-shared-utils. I wonder if there is an ability to turn off certain utility libraries if one wasn't building the vue app to connect to say a node.js server?
caleuanhopkins
on 17 May 2019
I guess we can refactor to websockets and drop node-ipc.
Akryum
on 18 May 2019
Would be ideal, although would it be needed for people using node.js? Not 100% sure on how to contribute to the @vue/cli-shared-utils repo but happy to contribute where I can! 😄
caleuanhopkins
on 20 May 2019
Hum people using vue cli already need node.js. node-ipc is mainly used for plugin to communicate with the vue cli UI server.
Akryum
on 20 May 2019
Ah apologies, that didn't click before, makes sense now
caleuanhopkins
on 20 May 2019
Forgive my ignorance on the subject but would there be a way to remove the UI part of vue-cli? If that's the only part of the project that's using it and we don't have to use the UI couldn't we get by without it?
ZRogerson
on 18 Jul 2019
Hey guys, maintainer of all of those packages here.
Apologies, for the delay in everything. I'm going to be updating all of the licenses to apache 2.0 from DBAD.
RIAEvangelist
on 7 Dec 2019
Hello @RIAEvangelist ... We are running into the same issue for one of our projects. With the DBAD license we are not able to pass the license check.
So we would be really happy if you could update the license of your packages from DBAT to apache 2.0 as suggested.
(PS: Will also be happy to buy you a pint. Will send you a mail about this.)
joschi127
on 6 May 2020
Guys, @RIAEvangelist, any progress on this one? This becomes an issues that can impact our decision on to use Vue or stick to Angular despite how painful is it going to be...
bkhatkov
on 30 Oct 2020
What would be the best license and why? My goal is to make this as
open-source as possible. I do not want someone to say they own this code in
the future thereby preventing others from using it.
On Fri, Oct 30, 2020 at 9:15 AM bkhatkov notifications@github.com wrote:
Guys, @RIAEvangelist https://github.com/RIAEvangelist, any progress on
this one? This becomes an issues that can impact our decision on to use Vue
or stick to Angular despite how painful is it going to be...—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/vuejs/vue-cli/issues/2621#issuecomment-719648519, or
unsubscribe
https://github.com/notifications/unsubscribe-auth/AAC2DEOP42DDOVVLGOXFIG3SNLRDTANCNFSM4FXOXYHA
.
RIAEvangelist
on 11 Nov 2020
Updated each to MIT, then published the updated version.
RIAEvangelist
on 11 Nov 2020
@RIAEvangelist, hey. That is highly appreciated. Thank you.
bkhatkov
on 12 Nov 2020
@RIAEvangelist Thank you so much!
One small problem, though, is that the js-message dependency is pinned to the old version, as said in https://github.com/RIAEvangelist/node-ipc/issues/184
sodatea
on 12 Nov 2020
OK, fixed in patch 9.1.3 thanks.
RIAEvangelist
on 12 Nov 2020
I believe this ticket can be closed.
RIAEvangelist
on 13 Nov 2020
👍 Thanks! Really appreciate all the help
sodatea
on 13 Nov 2020
Related issues
JIANGYUJING1995
·
3Comments
eladcandroid
·
3Comments
joshuajohnson814
·
3Comments
Gonzalo2683
·
3Comments
b-zee
·
3Comments
Most helpful comment
Hey guys, maintainer of all of those packages here.
Apologies, for the delay in everything. I'm going to be updating all of the licenses to apache 2.0 from DBAD.