license_finder 7.0.1 → 7.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a65abcec91ace2929ab66aa2e364002c4019e8cfd5ffdde361ce0ea4b20147f8
-  data.tar.gz: cfeaa1bf0a57a0480d8193fa10a75597b7421abcaa15d6995adc3a885797f547
+  metadata.gz: a74ac8d4dd390c9608445a97a27c1b6b1a3398b33c95d28eff8eb0e1cfff63e7
+  data.tar.gz: 6944369b76103e35729350d5508445ad72f91bb79b2d32e6241b552cd53bf3cd
 SHA512:
-  metadata.gz: c699e9127e4740d8795b5f494525c31251fa4dea297ebdd3c965b3d8bfc129d56d469135f2eb9614d244ed2828798008000116166fd55c1ac6ef5412e7d87313
-  data.tar.gz: e78c9b61fdf161c85c813a9892f02e470bc036f0061720a0fac73120394fb1f9e4161b6a935acb500ae55ac6c03d2ed6df6a320dda5cbc1443be6f62747c4f51
+  metadata.gz: db5512b1f7c9f5c317fb4d9a0efe09fc6d4b88461b3c599ca0ab7b679ef9fdf07cb86eebe3d0ef87cefcfa5a531d9bd1e2b583f7e938ac9c3a64766f21a7f012
+  data.tar.gz: 75f9994268a1a7ef36145bd757cfa8c02e1fcb3d2debdd8301b9f26326bf4afc04771a8b9a2d4e8922398560e9df68c075df240144d6972a62c5613c4f6261c5

data/.github/dependabot.yml

@@ -7,3 +7,10 @@ updates:
     time: "20:00"
     timezone: America/Los_Angeles
   open-pull-requests-limit: 10
+- package-ecosystem: docker 
+  directory: "/"
+  schedule:
+    interval: daily
+    time: "20:00"
+    timezone: America/Los_Angeles
+  open-pull-requests-limit: 10

data/.pre-commit-hooks.yaml

@@ -0,0 +1,10 @@
+- id: license-finder
+  name: Audit licenses of dependencies
+  entry: license_finder
+  language: ruby
+  pass_filenames: false
+  description: >
+    LicenseFinder works with your package managers to find dependencies, detect
+    the licenses of the packages in them, compare those licenses against a
+    user-defined list of permitted licenses, and give you an actionable
+    exception report.

data/CHANGELOG.md

@@ -1,4 +1,27 @@
+# [7.1.0] / 2022-11-28
+
+### Added
+* Missing New BSD alternative name - [64d425d9](https://github.com/pivotal/LicenseFinder/commit/64d425d9210794c6b45c60bf730931e459a1e959) 
+* pre-commit hook - [2fd5ac85](https://github.com/pivotal/LicenseFinder/commit/2fd5ac85fbd4ea03b6f274f2c977448a8a517c2c) - Kurt von Laven
+
+### Fixed
+* - Apache 2 license being too restrictive on matching - [c7fd0399](https://github.com/pivotal/LicenseFinder/commit/c7fd03994592ca97408f5134dd9eac6566e51c48) 
+* - Erlang not installing properly with mix - [74af3885](https://github.com/pivotal/LicenseFinder/commit/74af388579dd2f26b1814ece39c869d684218cd9) 
+* Scan transitive Yarn v2+ dependencies - [0115445e](https://github.com/pivotal/LicenseFinder/commit/0115445eb26de3185518adfb257b0e1911cf2fbd) - Kurt von Laven
+
+* Issue with chaining commands with dlf - [a6af8c3e](https://github.com/pivotal/LicenseFinder/commit/a6af8c3e0abb932ed8d3c0215175f23cf75b5fb2) 
+* Nuget and dotnet not returning proper licenses - [e3452336](https://github.com/pivotal/LicenseFinder/commit/e3452336aa980f26de9a7d44d725bddb0ddd67a0) 
+* Save help documentation for the default file name - [09a93762](https://github.com/pivotal/LicenseFinder/commit/09a93762dc3bd714fdcdebb4aa84af4c7dbefa04) 
+* - Yarn2 output parsing - [395a7f02](https://github.com/pivotal/LicenseFinder/commit/395a7f02b7729243aaf730b6ede71cae8f21cfeb) 
+
+### Changed
+* - Bump docker image golang version to 1.17.13 - [4f3df246](https://github.com/pivotal/LicenseFinder/commit/4f3df246d2f5245681a943a6fb6dee49e3ed3ed1) 
+
 # [7.0.1] / 2022-03-18
+### Fixed
+* Maven Wrapper command path must be relative to working directory - [298a733a](https://github.com/pivotal/LicenseFinder/commit/298a733a67f34341ffabc7dfbf2ee5c27574b979) - jbmgrtn 
+* Support yarn license command for yarn v2+ - [ed3b319b](https://github.com/pivotal/LicenseFinder/commit/ed3b319b64bf9c72c12fd5a365952137cf7f33b6)
+
 
 # [7.0.0] / 2022-03-04
 
@@ -1010,3 +1033,4 @@ Bugfixes:
 [6.15.0]: https://github.com/pivotal/LicenseFinder/compare/v6.14.2...v6.15.0
 [7.0.0]: https://github.com/pivotal/LicenseFinder/compare/v6.15.0...v7.0.0
 [7.0.1]: https://github.com/pivotal/LicenseFinder/compare/v7.0.0...v7.0.1
+[7.1.0]: https://github.com/pivotal/LicenseFinder/compare/v7.0.1...v7.1.0

data/CONTRIBUTING.md

@@ -78,6 +78,7 @@ If you come up with something useful, consider posting it to the Google Group
 To successfully run the test suite, you will need the following installed:
 - NPM (requires Node)
 - Yarn (requires Node)
+- PNPM (requires Node)
 - Bower (requires Node and NPM)
 - Maven (requires Java)
 - Gradle (requires Java)

data/Dockerfile

@@ -5,25 +5,25 @@ WORKDIR /tmp
 # Versioning
 ENV PIP_INSTALL_VERSION 19.0.2
 ENV PIP3_INSTALL_VERSION 20.0.2
-ENV GO_LANG_VERSION 1.14.3
+ENV GO_LANG_VERSION 1.17.13
 ENV MAVEN_VERSION 3.6.0
 ENV SBT_VERSION 1.3.3
 ENV GRADLE_VERSION 5.6.4
 ENV RUBY_VERSION 3.1.1
-ENV MIX_VERSION 1.0
+ENV MIX_VERSION 2.0
 ENV COMPOSER_ALLOW_SUPERUSER 1
 
 # programs needed for building
 RUN apt-get update && apt-get install -y \
-  build-essential \
-  curl \
-  sudo \
-  unzip \
-  wget \
-  gnupg2 \
-  apt-utils \
-  software-properties-common \
-  bzr
+    build-essential \
+    curl \
+    sudo \
+    unzip \
+    wget \
+    gnupg2 \
+    apt-utils \
+    software-properties-common \
+    bzr
 
 RUN add-apt-repository ppa:git-core/ppa && apt-get update && apt-get install -y git
 
@@ -33,14 +33,18 @@ RUN curl -sL https://deb.nodesource.com/setup_14.x | bash - && \
 
 # install yarn
 RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add - && \
-  echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list && \
-  apt-get update && \
-  apt-get install yarn
+    echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list && \
+    apt-get update && \
+    apt-get install yarn
 
 # install bower
 RUN npm install -g bower && \
     echo '{ "allow_root": true }' > /root/.bowerrc
 
+# install pnpm
+RUN npm install -g pnpm && \
+    pnpm version
+
 # install jdk 12
 RUN curl -L -o openjdk12.tar.gz https://download.java.net/java/GA/jdk12.0.2/e482c34c86bd4bf8b56c0b35558996b9/10/GPL/openjdk-12.0.2_linux-x64_bin.tar.gz && \
     tar xvf openjdk12.tar.gz && \
@@ -95,14 +99,29 @@ ENV PATH=$PATH:/go/bin
 ENV GOROOT=/go
 ENV GOPATH=/gopath
 ENV PATH=$PATH:$GOPATH/bin
+
 RUN mkdir /gopath && \
-  go get github.com/tools/godep && \
-  go get github.com/FiloSottile/gvt && \
-  go get github.com/Masterminds/glide && \
-  go get github.com/kardianos/govendor && \
-  go get github.com/golang/dep/cmd/dep && \
-  go get -u github.com/rancher/trash && \
-  go clean -cache
+    go install github.com/tools/godep@latest && \
+    go install github.com/FiloSottile/gvt@latest && \
+    go install github.com/kardianos/govendor@latest && \
+    go clean -cache
+
+#install rvm and glide and godep
+RUN apt-add-repository -y ppa:rael-gc/rvm && \
+    add-apt-repository -y ppa:masterminds/glide  && \
+    apt update && apt install -y rvm && \
+    /usr/share/rvm/bin/rvm install --default $RUBY_VERSION &&\
+    apt-get install -y glide && \
+    apt-get install -y go-dep
+
+# install trash
+RUN curl -Lo trash.tar.gz https://github.com/rancher/trash/releases/download/v0.2.7/trash-linux_amd64.tar.gz && \
+    tar xvf trash.tar.gz && \
+    rm trash.tar.gz && \
+    sudo mv trash /usr/local/bin/
+
+# install bundler
+RUN bash -lc "gem update --system && gem install bundler"
 
 WORKDIR /tmp
 # Fix the locale
@@ -115,47 +134,44 @@ ENV LC_ALL=en_US.UTF-8
 # install Cargo
 RUN curl https://sh.rustup.rs -sSf | bash -ls -- -y --profile minimal
 
-#install rvm
-RUN apt-add-repository -y ppa:rael-gc/rvm && \
-    apt update && apt install -y rvm && \
-    /usr/share/rvm/bin/rvm install --default $RUBY_VERSION
-
-# install bundler
-RUN bash -lc "gem update --system && gem install bundler"
-
 #install mix
 RUN wget https://packages.erlang-solutions.com/erlang-solutions_${MIX_VERSION}_all.deb && \
     sudo dpkg -i erlang-solutions_${MIX_VERSION}_all.deb && \
     sudo rm -f erlang-solutions_${MIX_VERSION}_all.deb && \
     sudo apt-get update && \
-    sudo apt-get install -y esl-erlang && \
-    sudo apt-get install -y elixir
+    sudo apt-get install -y esl-erlang
+# Install Elixir
+WORKDIR /tmp/elixir-build
+RUN git clone https://github.com/elixir-lang/elixir.git
+WORKDIR elixir
+RUN make && make install
+WORKDIR /
 
 # install conan
 RUN apt-get install -y python-dev && \
-	pip install --no-cache-dir --ignore-installed six --ignore-installed colorama \
-	    --ignore-installed requests --ignore-installed chardet \
-	    --ignore-installed urllib3 \
-	    --upgrade setuptools && \
-    pip install --no-cache-dir -Iv conan==1.43.0 && \
+    pip install --no-cache-dir --ignore-installed six --ignore-installed colorama \
+    --ignore-installed requests --ignore-installed chardet \
+    --ignore-installed urllib3 \
+    --upgrade setuptools && \
+    pip3 install --no-cache-dir -Iv conan==1.51.3 && \
     conan config install https://github.com/conan-io/conanclientcert.git
 
 
 # install NuGet (w. mono)
 # https://docs.microsoft.com/en-us/nuget/install-nuget-client-tools#macoslinux
 RUN apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF &&\
-  echo "deb https://download.mono-project.com/repo/ubuntu stable-bionic main" | sudo tee /etc/apt/sources.list.d/mono-official-stable.list &&\
-  apt-get update &&\
-  apt-get install -y mono-complete &&\
-  curl -o "/usr/local/bin/nuget.exe" "https://dist.nuget.org/win-x86-commandline/latest/nuget.exe" &&\
-  curl -o "/usr/local/bin/nugetv3.5.0.exe" "https://dist.nuget.org/win-x86-commandline/v3.5.0/nuget.exe"
+    echo "deb https://download.mono-project.com/repo/ubuntu stable-bionic main" | sudo tee /etc/apt/sources.list.d/mono-official-stable.list &&\
+    apt-get update &&\
+    apt-get install -y mono-complete &&\
+    curl -o "/usr/local/bin/nuget.exe" "https://dist.nuget.org/win-x86-commandline/latest/nuget.exe" &&\
+    curl -o "/usr/local/bin/nugetv3.5.0.exe" "https://dist.nuget.org/win-x86-commandline/v3.5.0/nuget.exe"
 
 # install dotnet core
 RUN wget -q https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb &&\
-  sudo dpkg -i packages-microsoft-prod.deb &&\
-  rm packages-microsoft-prod.deb &&\
-  sudo apt-get update &&\
-  sudo apt-get install -y dotnet-runtime-2.1 dotnet-sdk-2.1 dotnet-sdk-2.2 dotnet-sdk-3.0 dotnet-sdk-3.1
+    sudo dpkg -i packages-microsoft-prod.deb &&\
+    rm packages-microsoft-prod.deb &&\
+    sudo apt-get update &&\
+    sudo apt-get install -y dotnet-runtime-2.1 dotnet-sdk-2.1 dotnet-sdk-2.2 dotnet-sdk-3.0 dotnet-sdk-3.1
 
 # install Composer
 # The ARG and ENV are for installing tzdata which is part of this installaion.
@@ -178,12 +194,12 @@ RUN apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 4F4EA0AAE5
 # See https://docs.conda.io/en/latest/miniconda_hashes.html
 # for latest versions and SHAs.
 RUN  \
-  conda_installer=Miniconda3-py38_4.9.2-Linux-x86_64.sh &&\
-  ref='1314b90489f154602fd794accfc90446111514a5a72fe1f71ab83e07de9504a7' &&\
-  wget -q https://repo.anaconda.com/miniconda/${conda_installer} &&\
-  sha=`openssl sha256 "${conda_installer}" | cut -d' ' -f2` &&\
-  ([ "$sha" = "${ref}" ] || (echo "Verification failed: ${sha} != ${ref}"; false)) &&\
-  (echo; echo "yes") | sh "${conda_installer}"
+    conda_installer=Miniconda3-py38_4.9.2-Linux-x86_64.sh &&\
+    ref='1314b90489f154602fd794accfc90446111514a5a72fe1f71ab83e07de9504a7' &&\
+    wget -q https://repo.anaconda.com/miniconda/${conda_installer} &&\
+    sha=`openssl sha256 "${conda_installer}" | cut -d' ' -f2` &&\
+    ([ "$sha" = "${ref}" ] || (echo "Verification failed: ${sha} != ${ref}"; false)) &&\
+    (echo; echo "yes") | sh "${conda_installer}"
 
 # install Swift Package Manager
 # Based on https://github.com/apple/swift-docker/blob/main/5.3/ubuntu/18.04/Dockerfile
@@ -208,11 +224,12 @@ RUN apt-get -q install -y \
 
 #install flutter
 ENV FLUTTER_HOME=/root/flutter
+RUN git config --global --add safe.directory /root/flutter
 RUN curl -o flutter_linux_2.8.1-stable.tar.xz https://storage.googleapis.com/flutter_infra_release/releases/stable/linux/flutter_linux_2.8.1-stable.tar.xz \
     && tar xf flutter_linux_2.8.1-stable.tar.xz \
     && mv flutter ${FLUTTER_HOME} \
     && rm flutter_linux_2.8.1-stable.tar.xz
-        
+
 ENV PATH=$PATH:${FLUTTER_HOME}/bin:${FLUTTER_HOME}/bin/cache/dart-sdk/bin
 RUN flutter doctor -v \
     && flutter update-packages \

data/README.md

@@ -57,8 +57,19 @@ and give you an actionable exception report.
 
 ## Installation
 
-License Finder requires Ruby 2.4.0 or greater to run. If you have an older
-version of Ruby installed, you can update via Homebrew:
+License Finder may be run as a [pre-commit](https://pre-commit.com) hook by
+adding the following to your `.pre-commit-config.yaml`:
+
+```yaml
+repos:
+  - repo: https://github.com/pivotal/LicenseFinder
+    rev: v7.1.0 # You probably want the latest tag.
+    hooks:
+      - id: license-finder
+```
+
+Running License Finder directly requires Ruby 2.4.0 or greater. If you have an
+older version of Ruby installed, you can update via Homebrew:
 
 ```sh
 $ ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
@@ -70,7 +81,7 @@ then:
 $ brew install ruby
 ```
 
-The easiest way to use `license_finder` is to install it as a command
+The easiest way to use `license_finder` directly is to install it as a command
 line tool, like brew, awk, gem or bundler:
 
 ```sh
@@ -154,7 +165,8 @@ $ dlf "bundle install && license_finder"
 
 You can better understand the way this script works by looking at its source, but for
 reference it will mount your current directory at the path `/scan` and run any commands
-passed to it from that directory.
+passed to it from that directory. If your command has `&&`, ensure you quote the command. 
+If it does not, ensure the command is not quoted.
 
 Note that the docker image will run the gem which is installed within it.
 So the docker image tagged `7.0.0` will run *License Finder Version 7.0.0*
@@ -195,7 +207,7 @@ languages, as long as that language has a package definition in the project dire
 * `build.sbt` file (for `sbt`)
 * `Cargo.lock` file (for `cargo`)
 * `composer.lock` file (for `composer`)
-* `environment,yml` file (for `conda`)
+* `environment.yml` file (for `conda`)
 * `pubspec.yaml & .pub cache locaton through ENV variable` (for `flutter`)
 
 ### Continuous Integration
@@ -333,12 +345,40 @@ you should manually research what the actual license is.  When you
 have established the real license, you can record it with:
 
 ```sh
-$ license_finder licenses add my_unknown_dependency MIT --homepage="www.unknown-code.org"
+$ license_finder licenses add my_unknown_dependency MIT
+```
+
+This command would assign the MIT license to all versions of the dependency
+`my_unknown_dependency`. If you prefer, you could instead assign the license
+to only a specific version of the dependency:
+
+```sh
+$ license_finder licenses add my_unknown_dependency MIT --version=1.0.0
 ```
 
-This command would assign the MIT license to the dependency
-`my_unknown_dependency`. It will also set its homepage to `www.unknown-code.org`.
+Please note that adding a license to a specific version of a dependency will 
+cause any licenses previously added to all versions of that dependency to be 
+forgotten. Similarly, adding a license to all versions of a dependency will 
+override any licenses previously added to specific versions of that dependency.
+
+There are several ways in which you can remove licenses that were previously
+added through the `licenses add` command:
+
+```sh
+# Removes all licenses from any version of the dependency
+$ license_finder licenses remove my_unknown_dependency
 
+# Removes just the MIT license from any version of the dependency
+$ license_finder licenses remove my_unknown_dependency MIT
+
+# Removes all licenses from only version 1.0.0 of the dependency
+# This has no effect if you had last added a license to all versions of the dependency
+$ license_finder licenses remove my_unknown_dependency --version=1.0.0
+
+# Removes just the MIT license from only version 1.0.0 of the dependency
+# This has no effect if you had last added a license to all versions of the dependency
+$ license_finder licenses remove my_unknown_dependency MIT --version=1.0.0
+```
 
 ### Adding Hidden Dependencies
 

data/VERSION

@@ -1 +1 @@
-7.0.1
+7.1.0

data/dlf

@@ -7,7 +7,12 @@ if `which docker > /dev/null`; then
     for p in "$@"; do
       escaped_params="$escaped_params \"$p\""
     done
-    docker run -v $PWD:/scan -it licensefinder/license_finder /bin/bash -lc "cd /scan && $escaped_params"
+    if [[ $escaped_params =~ "&&" ]]; then
+      command=${escaped_params:2:${#escaped_params}-3}
+    else
+      command=$escaped_params
+    fi
+    docker run -v $PWD:/scan -it licensefinder/license_finder /bin/bash -lc "cd /scan && $command"
   fi
 else
   echo "You do not have docker installed. Please install it:"

data/lib/license_finder/cli/base.rb

@@ -46,6 +46,8 @@ module LicenseFinder
           :maven_include_groups,
           :maven_options,
           :npm_options,
+          :yarn_options,
+          :pnpm_options,
           :pip_requirements_path,
           :python_version,
           :rebar_command,

data/lib/license_finder/cli/licenses.rb

@@ -7,19 +7,24 @@ module LicenseFinder
       include MakesDecisions
 
       auditable
+      method_option :version, desc: 'The version associated with the license'
       desc 'add DEPENDENCY LICENSE', "Set a dependency's licenses, overwriting any license_finder has found"
       def add(name, license)
         modifying { decisions.license(name, license, txn) }
 
-        printer.say "The #{name} dependency has been marked as using #{license} license!", :green
+        version_info = options[:version] ? " with version #{options[:version]}" : ''
+        printer.say "The #{name} dependency#{version_info} has been marked as using #{license} license!", :green
       end
 
       auditable
+      method_option :version, desc: 'The version associated with the license'
       desc 'remove DEPENDENCY LICENSE', 'Remove a manually set license'
-      def remove(dep, lic)
+      def remove(dep, lic = nil)
         modifying { decisions.unlicense(dep, lic, txn) }
 
-        printer.say "The dependency #{dep} no longer has a manual license"
+        version_info = options[:version] ? " with version #{options[:version]}" : ''
+        suffix = lic ? " of #{lic}" : ''
+        printer.say "The dependency #{dep}#{version_info} no longer has a manual license#{suffix}"
       end
     end
   end

data/lib/license_finder/cli/main.rb

@@ -32,6 +32,8 @@ module LicenseFinder
       class_option :maven_include_groups, desc: 'Whether dependency name should include group id. Only meaningful if used with a Java/maven project. Defaults to false.'
       class_option :maven_options, desc: 'Maven options to append to command. Defaults to empty.'
       class_option :npm_options, desc: 'npm options to append to command. Defaults to empty.'
+      class_option :yarn_options, desc: 'yarn options to append to command. Defaults to empty.'
+      class_option :pnpm_options, desc: 'pnpm options to append to command. Defaults to empty.'
       class_option :pip_requirements_path, desc: 'Path to python requirements file. Defaults to requirements.txt.'
       class_option :python_version, desc: 'Python version to invoke pip with. Valid versions: 2 or 3. Default: 2'
       class_option :rebar_command, desc: "Command to use when fetching rebar packages. Only meaningful if used with a Erlang/rebar project. Defaults to 'rebar'."
@@ -152,7 +154,7 @@ module LicenseFinder
       shared_options
       format_option
       method_option :write_headers, type: :boolean, desc: 'Write exported columns as header row (csv).', default: false, required: false
-      method_option :save, desc: "Save report to a file. Default: 'license_report.csv' in project root.", lazy_default: 'license_report'
+      method_option :save, desc: "Save report to a file. Default: 'license_report' in project root.", lazy_default: 'license_report'
 
       def report
         finder = LicenseAggregator.new(config, aggregate_paths)

data/lib/license_finder/configuration.rb

@@ -97,6 +97,14 @@ module LicenseFinder
       get(:npm_options)
     end
 
+    def yarn_options
+      get(:yarn_options)
+    end
+
+    def pnpm_options
+      get(:pnpm_options)
+    end
+
     def pip_requirements_path
       get(:pip_requirements_path)
     end

data/lib/license_finder/core.rb

@@ -101,6 +101,8 @@ module LicenseFinder
         maven_include_groups: config.maven_include_groups,
         maven_options: config.maven_options,
         npm_options: config.npm_options,
+        yarn_options: config.yarn_options,
+        pnpm_options: config.pnpm_options,
         pip_requirements_path: config.pip_requirements_path,
         python_version: config.python_version,
         rebar_command: config.rebar_command,

data/lib/license_finder/decision_applier.rb

@@ -44,7 +44,7 @@ module LicenseFinder
     end
 
     def with_decided_licenses(package)
-      decisions.licenses_of(package.name).each do |license|
+      decisions.licenses_of(package.name, package.version).each do |license|
         package.decide_on_license license
       end
       package

data/lib/license_finder/decisions.rb

@@ -2,6 +2,7 @@
 
 require 'open-uri'
 require 'license_finder/license'
+require 'license_finder/manual_licenses'
 
 module LicenseFinder
   class Decisions
@@ -11,8 +12,8 @@ module LicenseFinder
 
     attr_reader :packages, :permitted, :restricted, :ignored, :ignored_groups, :project_name, :inherited_decisions
 
-    def licenses_of(name)
-      @licenses[name]
+    def licenses_of(name, version = nil)
+      @manual_licenses.licenses_of(name, version)
     end
 
     def homepage_of(name)
@@ -76,7 +77,7 @@ module LicenseFinder
     def initialize
       @decisions = []
       @packages = Set.new
-      @licenses = Hash.new { |h, k| h[k] = Set.new }
+      @manual_licenses = ManualLicenses.new
       @homepages = {}
       @approvals = {}
       @permitted = Set.new
@@ -100,13 +101,29 @@ module LicenseFinder
 
     def license(name, lic, txn = {})
       add_decision [:license, name, lic, txn]
-      @licenses[name] << License.find_by_name(lic)
+
+      versions = txn[:versions]
+
+      if versions.nil? || versions.empty?
+        @manual_licenses.assign_to_all_versions(name, lic)
+      else
+        @manual_licenses.assign_to_specific_versions(name, lic, versions)
+      end
+
       self
     end
 
     def unlicense(name, lic, txn = {})
       add_decision [:unlicense, name, lic, txn]
-      @licenses[name].delete(License.find_by_name(lic))
+
+      versions = txn[:versions]
+
+      if versions.nil? || versions.empty?
+        @manual_licenses.unassign_from_all_versions(name, lic)
+      else
+        @manual_licenses.unassign_from_specific_versions(name, lic, versions)
+      end
+
       self
     end
 
@@ -235,9 +252,10 @@ module LicenseFinder
     end
 
     def restore_inheritance(decisions)
+      previous_value = @inherited
       @inherited = true
       self.class.restore(decisions, self)
-      @inherited = false
+      @inherited = previous_value
       self
     end
 

data/lib/license_finder/license/definitions.rb

@@ -265,7 +265,9 @@ module LicenseFinder
             'BSD 3',
             'BSD-3',
             '3-clause BSD',
+            '3-Clause BSD License',
             'BSD-3-Clause',
+            'BSD 3-Clause',
             'BSD 3-Clause License',
             'The 3-Clause BSD License',
             'BSD 3-clause New License',

data/lib/license_finder/license/templates/Apache2.txt

@@ -168,5 +168,3 @@
       defend, and hold each Contributor harmless for any liability
       incurred by, or claims asserted against, such Contributor by reason
       of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS

data/lib/license_finder/manual_licenses.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+module LicenseFinder
+  class ManualLicenses
+    def initialize
+      @all_versions = {}
+      @specific_versions = {}
+    end
+
+    def licenses_of(name, version = nil)
+      return @all_versions[name] if @all_versions[name]
+
+      if version && @specific_versions[name] && @specific_versions[name][version]
+        @specific_versions[name][version]
+      else
+        Set.new
+      end
+    end
+
+    def assign_to_all_versions(name, lic)
+      # Ex: licenses add foo_gem MIT => Adds MIT at "all" versions for this gem
+
+      @all_versions[name] ||= Set.new
+      @all_versions[name] << to_license(lic)
+
+      @specific_versions.delete(name)
+    end
+
+    def assign_to_specific_versions(name, lic, versions)
+      # Ex: licenses add foo_gem MIT --version=1.0 => Adds MIT at only 1.0 for this gem
+
+      @specific_versions[name] ||= {}
+      versions.each do |version|
+        @specific_versions[name][version] ||= Set.new
+        @specific_versions[name][version] << to_license(lic)
+      end
+
+      @all_versions.delete(name)
+    end
+
+    def unassign_from_all_versions(name, lic = nil)
+      if lic
+        # Ex: licenses remove foo_gem MIT => Removes MIT at all versions for this gem
+        @all_versions[name]&.delete(to_license(lic))
+
+        @specific_versions[name]&.each do |_version, licenses|
+          licenses.delete(to_license(lic))
+        end
+      else
+        # Ex: licenses remove foo_gem => Removes all licenses for all versions of the gem
+        @all_versions.delete(name)
+        @specific_versions.delete(name)
+      end
+    end
+
+    def unassign_from_specific_versions(name, lic, versions)
+      return unless @specific_versions[name]
+
+      versions.each do |version|
+        if @specific_versions[name][version]
+          if lic
+            # Ex: licenses remove foo_gem MIT --version=1.0 => Removes MIT at only 1.0 for this gem
+            @specific_versions[name][version].delete(to_license(lic))
+            @specific_versions[name].delete(version) if @specific_versions[name][version].empty?
+          else
+            # Ex: licenses remove foo_gem --version=1.0 => Removes all licenses at only 1.0 for the gem
+            @specific_versions[name].delete(version)
+          end
+        end
+      end
+    end
+
+    private
+
+    def to_license(lic)
+      License.find_by_name(lic)
+    end
+  end
+end

data/lib/license_finder/package.rb

@@ -187,6 +187,7 @@ require 'license_finder/packages/merged_package'
 require 'license_finder/packages/nuget_package'
 require 'license_finder/packages/conan_package'
 require 'license_finder/packages/yarn_package'
+require 'license_finder/packages/pnpm_package'
 require 'license_finder/packages/sbt_package'
 require 'license_finder/packages/cargo_package'
 require 'license_finder/packages/composer_package'

data/lib/license_finder/package_manager.rb

@@ -158,6 +158,7 @@ require 'license_finder/package_managers/go_modules'
 require 'license_finder/package_managers/trash'
 require 'license_finder/package_managers/bundler'
 require 'license_finder/package_managers/npm'
+require 'license_finder/package_managers/pnpm'
 require 'license_finder/package_managers/yarn'
 require 'license_finder/package_managers/pip'
 require 'license_finder/package_managers/pipenv'

data/lib/license_finder/package_managers/dotnet.rb

@@ -42,9 +42,13 @@ module LicenseFinder
       end
 
       def read_license_urls
-        possible_spec_paths.flat_map do |path|
+        raw_licenses = possible_spec_paths.flat_map do |path|
           Nuget.nuspec_license_urls(File.read(path)) if File.exist? path
         end.compact
+
+        raw_licenses&.map! do |license|
+          license.gsub('https://licenses.nuget.org/', '')
+        end
       end
 
       def ==(other)
@@ -61,7 +65,6 @@ module LicenseFinder
       package_metadatas = asset_files
                           .flat_map { |path| AssetFile.new(path).dependencies }
                           .uniq { |d| [d.name, d.version] }
-
       package_metadatas.map do |d|
         path = Dir.glob("#{Dir.home}/.nuget/packages/#{d.name.downcase}/#{d.version}").first
         NugetPackage.new(d.name, d.version, spec_licenses: d.read_license_urls, install_path: path)

data/lib/license_finder/package_managers/nuget.rb

@@ -51,6 +51,10 @@ module LicenseFinder
     def current_packages
       dependencies.each_with_object({}) do |dep, memo|
         licenses = license_urls(dep)
+        licenses&.map! do |license|
+          license.gsub('https://licenses.nuget.org/', '')
+        end
+
         path = Dir.glob("#{Dir.home}/.nuget/packages/#{dep.name.downcase}/#{dep.version}").first
 
         memo[dep.name] ||= NugetPackage.new(dep.name, dep.version, spec_licenses: licenses, install_path: path)
@@ -60,6 +64,7 @@ module LicenseFinder
 
     def license_urls(dep)
       files = Dir["**/#{dep.name}.#{dep.version}.nupkg"]
+
       return nil if files.empty?
 
       file = files.first

data/lib/license_finder/package_managers/pnpm.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'tempfile'
+
+module LicenseFinder
+  class PNPM < PackageManager
+    def initialize(options = {})
+      super
+      @pnpm_options = options[:pnpm_options]
+    end
+
+    SHELL_COMMAND = 'pnpm licenses list --json --long'
+
+    def possible_package_paths
+      [project_path.join('pnpm-lock.yaml')]
+    end
+
+    def self.takes_priority_over
+      NPM
+    end
+
+    def current_packages
+      # check if the minimum version of PNPM is met
+      raise 'The minimum PNPM version is not met, requires 7.17.0 or later' unless supported_pnpm?
+
+      # check if the project directory has workspace file
+      cmd = PNPM::SHELL_COMMAND.to_s
+      cmd += ' --no-color'
+      cmd += ' --recursive' unless project_has_workspaces == false
+      cmd += " --dir #{project_path}" unless project_path.nil?
+      cmd += " #{@pnpm_options}" unless @pnpm_options.nil?
+
+      stdout, stderr, status = Cmd.run(cmd)
+      raise "Command '#{cmd}' failed to execute: #{stderr}" unless status.success?
+
+      json_objects = JSON.parse(stdout)
+      get_pnpm_packages(json_objects)
+    end
+
+    def get_pnpm_packages(json_objects)
+      packages = []
+      incompatible_packages = []
+
+      json_objects.map do |_, value|
+        value.each do |pkg|
+          name = pkg['name']
+          version = pkg['version']
+          license = pkg['license']
+          homepage = pkg['vendorUrl']
+          author = pkg['vendorName']
+          module_path = pkg['path']
+
+          package = PNPMPackage.new(
+            name,
+            version,
+            spec_licenses: [license],
+            homepage: homepage,
+            authors: author,
+            install_path: module_path
+          )
+          packages << package
+        end
+      end
+
+      packages + incompatible_packages.uniq
+    end
+
+    def package_management_command
+      'pnpm'
+    end
+
+    def prepare_command
+      'pnpm install --no-lockfile --ignore-scripts'
+    end
+
+    def prepare
+      prep_cmd = "#{prepare_command}#{production_flag}"
+      _stdout, stderr, status = Dir.chdir(project_path) { Cmd.run(prep_cmd) }
+
+      return if status.success?
+
+      log_errors stderr
+      raise "Prepare command '#{prep_cmd}' failed" unless @prepare_no_fail
+    end
+
+    private
+
+    def project_has_workspaces
+      Dir.chdir(project_path) do
+        return File.file?('pnpm-workspace.yaml')
+      end
+    end
+
+    # PNPM introduced the licenses command in 7.17.0
+    def supported_pnpm?
+      Dir.chdir(project_path) do
+        version_string, stderr_str, status = Cmd.run('pnpm --version')
+        raise "Command 'pnpm -v' failed to execute: #{stderr_str}" unless status.success?
+
+        version = version_string.split('.').map(&:to_i)
+        major = version[0]
+        minor = version[1]
+        patch = version[1]
+
+        return true if major > 7
+        return true if major == 7 && minor > 17
+        return true if major == 7 && minor == 17 && patch >= 0
+
+        return false
+      end
+    end
+
+    def production_flag
+      return '' if @ignored_groups.nil?
+
+      @ignored_groups.include?('devDependencies') ? ' --prod' : ''
+    end
+  end
+end

data/lib/license_finder/package_managers/yarn.rb

@@ -2,7 +2,12 @@
 
 module LicenseFinder
   class Yarn < PackageManager
-    SHELL_COMMAND = 'yarn licenses list --json'
+    def initialize(options = {})
+      super
+      @yarn_options = options[:yarn_options]
+    end
+
+    SHELL_COMMAND = 'yarn licenses list --recursive --json'
 
     def possible_package_paths
       [project_path.join('yarn.lock')]
@@ -14,31 +19,20 @@ module LicenseFinder
       if yarn_version == 1
         cmd += ' --no-progress'
         cmd += " --cwd #{project_path}" unless project_path.nil?
+        cmd += " #{@yarn_options}" unless @yarn_options.nil?
       end
 
       stdout, stderr, status = Cmd.run(cmd)
       raise "Command '#{cmd}' failed to execute: #{stderr}" unless status.success?
 
-      packages = []
-      incompatible_packages = []
-
       json_strings = stdout.encode('ASCII', invalid: :replace, undef: :replace, replace: '?').split("\n")
       json_objects = json_strings.map { |json_object| JSON.parse(json_object) }
 
-      if json_objects.last['type'] == 'table'
-        license_json = json_objects.pop['data']
-        packages = packages_from_json(license_json)
-      end
-
-      json_objects.each do |json_object|
-        match = /(?<name>[\w,\-]+)@(?<version>(\d+\.?)+)/ =~ json_object['data'].to_s
-        if match
-          package = YarnPackage.new(name, version, spec_licenses: ['unknown'])
-          incompatible_packages.push(package)
-        end
+      if yarn_version == 1
+        get_yarn1_packages(json_objects)
+      else
+        get_yarn_packages(json_objects)
       end
-
-      packages + incompatible_packages.uniq
     end
 
     def prepare
@@ -94,6 +88,61 @@ module LicenseFinder
       end
     end
 
+    def get_yarn_packages(json_objects)
+      packages = []
+      incompatible_packages = []
+      json_objects.each do |json_object|
+        license = json_object['value']
+        body = json_object['children']
+
+        body.each do |package_name, vendor_info|
+          valid_match = %r{(?<name>[@,\w,\-,/,.]+)@(?<manager>\D*):\D*(?<version>(\d+\.?)+)} =~ package_name.to_s
+          valid_match = %r{(?<name>[@,\w,\-,/,.]+)@virtual:.+#(\D*):\D*(?<version>(\d+\.?)+)} =~ package_name.to_s if manager.eql?('virtual')
+
+          if valid_match
+            homepage = vendor_info['children']['vendorUrl']
+            author = vendor_info['children']['vendorName']
+            package = YarnPackage.new(
+              name,
+              version,
+              spec_licenses: [license],
+              homepage: homepage,
+              authors: author,
+              install_path: project_path.join(modules_folder, name)
+            )
+            packages << package
+          end
+          incompatible_match = /(?<name>[\w,\-]+)@[a-z]*:(?<version>(\.))/ =~ package_name.to_s
+
+          if incompatible_match
+            package = YarnPackage.new(name, version, spec_licenses: ['unknown'])
+            incompatible_packages.push(package)
+          end
+        end
+      end
+
+      packages + incompatible_packages.uniq
+    end
+
+    def get_yarn1_packages(json_objects)
+      packages = []
+      incompatible_packages = []
+      if json_objects.last['type'] == 'table'
+        license_json = json_objects.pop['data']
+        packages = packages_from_json(license_json)
+      end
+
+      json_objects.each do |json_object|
+        match = /(?<name>[\w,\-]+)@(?<version>(\d+\.?)+)/ =~ json_object['data'].to_s
+        if match
+          package = YarnPackage.new(name, version, spec_licenses: ['unknown'])
+          incompatible_packages.push(package)
+        end
+      end
+
+      packages + incompatible_packages.uniq
+    end
+
     def packages_from_json(json_data)
       body = json_data['body']
       head = json_data['head']

data/lib/license_finder/package_utils/pypi.rb

@@ -25,7 +25,9 @@ module LicenseFinder
       def definition(name, version)
         response = request("https://pypi.org/pypi/#{name}/#{version}/json")
         response.is_a?(Net::HTTPSuccess) ? JSON.parse(response.body).fetch('info', {}) : {}
-      rescue *CONNECTION_ERRORS
+      rescue *CONNECTION_ERRORS => e
+        raise e, "Unable to read package from pypi.org #{name} #{version}: #{e}" unless @prepare_no_fail
+
         {}
       end
 

data/lib/license_finder/packages/npm_package.rb

@@ -72,11 +72,32 @@ module LicenseFinder
             @identifier.version,
             description: npm_json['description'],
             homepage: npm_json['homepage'],
+            authors: author_names,
             spec_licenses: Package.license_names_from_standard_spec(npm_json),
             install_path: npm_json['path'],
             children: @dependencies.map(&:name))
     end
 
+    def author_names
+      names = []
+      names.push(author_name(@json['author'])) unless @json['author'].nil?
+      names += @json['contributors'].map { |c| author_name(c) } if @json['contributors'].is_a?(Array)
+      names.join(', ')
+    end
+
+    def author_name(author)
+      if author.instance_of?(String)
+        author_name_from_combined(author)
+      else
+        author['name']
+      end
+    end
+
+    def author_name_from_combined(author)
+      matches = author.match /^(.*?)\s*(<.*?>)?\s*(\(.*?\))?\s*$/
+      matches[1]
+    end
+
     def ==(other)
       other.is_a?(NpmPackage) && @identifier == other.identifier
     end

data/lib/license_finder/packages/pnpm_package.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module LicenseFinder
+  class PNPMPackage < Package
+    def package_manager
+      'PNPM'
+    end
+
+    def package_url
+      "https://www.npmjs.com/package/#{CGI.escape(name)}/v/#{CGI.escape(version)}"
+    end
+  end
+end

data/lib/license_finder/reports/csv_report.rb

@@ -4,7 +4,7 @@ module LicenseFinder
   class CsvReport < Report
     COMMA_SEP = ','.freeze
     NEWLINE_SEP = '\@NL'.freeze
-    AVAILABLE_COLUMNS = %w[name version authors licenses license_links approved summary description homepage install_path package_manager groups texts notice].freeze
+    AVAILABLE_COLUMNS = %w[name version authors licenses license_links approved summary description homepage install_path package_manager groups texts notice approved_by approved_reason].freeze
     MISSING_DEPENDENCY_TEXT = 'This package is not installed. Please install to determine licenses.'.freeze
 
     def initialize(dependencies, options)
@@ -95,5 +95,14 @@ module LicenseFinder
         dep.groups.join(self.class::COMMA_SEP)
       end
     end
+
+    def format_approved_by(dep)
+      dep.approved_manually? ? dep.manual_approval.who : ''
+    end
+
+    def format_approved_reason(dep)
+      dep.approved_manually? ? dep.manual_approval.why : ''
+    end
+
   end
 end

data/lib/license_finder/scanner.rb

@@ -3,7 +3,7 @@
 module LicenseFinder
   class Scanner
     PACKAGE_MANAGERS = [
-      GoModules, GoDep, GoWorkspace, Go15VendorExperiment, Glide, Gvt, Govendor, Trash, Dep, Bundler, NPM, Pip,
+      GoModules, GoDep, GoWorkspace, Go15VendorExperiment, Glide, Gvt, Govendor, Trash, Dep, Bundler, NPM, PNPM, Pip,
       Yarn, Bower, Maven, Gradle, CocoaPods, Rebar, Erlangmk, Nuget, Carthage, Mix, Conan, Sbt, Cargo, Dotnet, Composer, Pipenv,
       Conda, Spm, Pub
     ].freeze

data/license_finder.gemspec

@@ -50,11 +50,11 @@ Gem::Specification.new do |s|
   s.add_dependency 'with_env', '1.1.0'
   s.add_dependency 'xml-simple', '~> 1.1.9'
 
-  s.add_development_dependency 'addressable', '2.8.0'
+  s.add_development_dependency 'addressable', '2.8.1'
   s.add_development_dependency 'capybara', '~> 3.32.2'
   s.add_development_dependency 'cocoapods', '>= 1.0.0' if RUBY_PLATFORM.match?(/darwin/)
   s.add_development_dependency 'e2mmap', '~> 0.1.0'
-  s.add_development_dependency 'fakefs', '~> 1.4.1'
+  s.add_development_dependency 'fakefs', '~> 1.8.0'
   s.add_development_dependency 'matrix', '~> 0.1.0'
   s.add_development_dependency 'mime-types', '3.4.1'
   s.add_development_dependency 'pry', '~> 0.14.1'
@@ -66,8 +66,8 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'webmock', '~> 3.14'
 
   s.add_development_dependency 'nokogiri', '~>1.10'
-  s.add_development_dependency 'rack', '~> 2.2.3'
-  s.add_development_dependency 'rack-test', '~> 1.1.0', '> 0.7'
+  s.add_development_dependency 'rack', '~> 3.0.0'
+  s.add_development_dependency 'rack-test', '> 0.7', '~> 2.0.2'
 
   s.files         = `git ls-files`.split("\n").reject { |f| f.start_with?('spec', 'features') }
   s.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: license_finder
 version: !ruby/object:Gem::Version
-  version: 7.0.1
+  version: 7.1.0
 platform: ruby
 authors:
 - Ryan Collins
@@ -27,7 +27,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-03-18 00:00:00.000000000 Z
+date: 2022-11-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -131,14 +131,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.8.0
+        version: 2.8.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.8.0
+        version: 2.8.1
 - !ruby/object:Gem::Dependency
   name: capybara
   requirement: !ruby/object:Gem::Requirement
@@ -173,14 +173,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.4.1
+        version: 1.8.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.4.1
+        version: 1.8.0
 - !ruby/object:Gem::Dependency
   name: matrix
   requirement: !ruby/object:Gem::Requirement
@@ -327,34 +327,34 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.3
+        version: 3.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.3
+        version: 3.0.0
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.1.0
     - - ">"
       - !ruby/object:Gem::Version
         version: '0.7'
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.0.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.1.0
     - - ">"
       - !ruby/object:Gem::Version
         version: '0.7'
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.0.2
 description: |2
       LicenseFinder works with your package managers to find
       dependencies, detect the licenses of the packages in them, compare
@@ -371,6 +371,7 @@ files:
 - ".force-build"
 - ".github/dependabot.yml"
 - ".gitignore"
+- ".pre-commit-hooks.yaml"
 - ".rspec"
 - ".rubocop.yml"
 - CHANGELOG.md
@@ -457,6 +458,7 @@ files:
 - lib/license_finder/license/text.rb
 - lib/license_finder/license_aggregator.rb
 - lib/license_finder/logger.rb
+- lib/license_finder/manual_licenses.rb
 - lib/license_finder/package.rb
 - lib/license_finder/package_delta.rb
 - lib/license_finder/package_manager.rb
@@ -485,6 +487,7 @@ files:
 - lib/license_finder/package_managers/nuget.rb
 - lib/license_finder/package_managers/pip.rb
 - lib/license_finder/package_managers/pipenv.rb
+- lib/license_finder/package_managers/pnpm.rb
 - lib/license_finder/package_managers/pub.rb
 - lib/license_finder/package_managers/rebar.rb
 - lib/license_finder/package_managers/sbt.rb
@@ -519,6 +522,7 @@ files:
 - lib/license_finder/packages/npm_package.rb
 - lib/license_finder/packages/nuget_package.rb
 - lib/license_finder/packages/pip_package.rb
+- lib/license_finder/packages/pnpm_package.rb
 - lib/license_finder/packages/pubspec_package.rb
 - lib/license_finder/packages/rebar_package.rb
 - lib/license_finder/packages/sbt_package.rb
@@ -569,7 +573,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.9
+rubygems_version: 3.3.26
 signing_key: 
 specification_version: 4
 summary: Audit the OSS licenses of your application's dependencies.