licensed 3.4.0 → 3.4.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +33 -1
- data/Rakefile +1 -0
- data/docs/commands/status.md +14 -10
- data/docs/sources/pip.md +1 -1
- data/lib/licensed/sources/npm.rb +16 -2
- data/lib/licensed/sources/pip.rb +4 -1
- data/lib/licensed/sources/yarn/berry.rb +1 -11
- data/lib/licensed/sources/yarn/v1.rb +0 -10
- data/lib/licensed/sources/yarn.rb +19 -0
- data/lib/licensed/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f3f8fc2f5685cca01401bb63373518883d8f3e0cd6d27861a73eb2246d6ab8b5
|
|
4
|
+
data.tar.gz: fca0431aeb3401f17e78fccff82547315504597b1eab54699c1529c6fbacf2c7
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 575c5efa3e3b4c3a8bed98094372f61f4977ae9e5b023d155041cab5fd7a410d043b9fa31df20ea5084525251cd69d70474cc107b5b5f7c6e3bb08135d937187
|
|
7
|
+
data.tar.gz: e3fdbeced907154eb4b9511aefd263f8cf5b188e8360e039ee419496a5c9372ece14f63c59524638f27164cef0bd636e5ccbccaa196e89e117460f7e5faafaa6
|
data/CHANGELOG.md
CHANGED
|
@@ -6,6 +6,38 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
|
|
|
6
6
|
|
|
7
7
|
## [Unreleased]
|
|
8
8
|
|
|
9
|
+
## 3.4.4
|
|
10
|
+
|
|
11
|
+
2022-02-07
|
|
12
|
+
|
|
13
|
+
### Fixed
|
|
14
|
+
|
|
15
|
+
- The npm and pip sources have better protection from strings causing crashes in `Hash#dig` (https://github.com/github/licensed/pull/450)
|
|
16
|
+
|
|
17
|
+
## 3.4.3
|
|
18
|
+
|
|
19
|
+
2022-01-31
|
|
20
|
+
|
|
21
|
+
### Added
|
|
22
|
+
|
|
23
|
+
- The npm source handles more cases of missing, optional, peer dependencies (https://github.com/github/licensed/pull/443)
|
|
24
|
+
|
|
25
|
+
## 3.4.2
|
|
26
|
+
|
|
27
|
+
2022-01-17
|
|
28
|
+
|
|
29
|
+
### Fixed
|
|
30
|
+
|
|
31
|
+
- The yarn source will no longer evaluate package.json files that do not represent project dependencies (https://github.com/github/licensed/pull/439)
|
|
32
|
+
|
|
33
|
+
## 3.4.1
|
|
34
|
+
|
|
35
|
+
2022-01-07
|
|
36
|
+
|
|
37
|
+
### Fixed
|
|
38
|
+
|
|
39
|
+
- Malformed package.json files will no longer crash yarn dependency detection (https://github.com/github/licensed/pull/431)
|
|
40
|
+
|
|
9
41
|
## 3.4.0
|
|
10
42
|
|
|
11
43
|
2021-12-14
|
|
@@ -539,4 +571,4 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
|
|
|
539
571
|
|
|
540
572
|
Initial release :tada:
|
|
541
573
|
|
|
542
|
-
[Unreleased]: https://github.com/github/licensed/compare/3.4.
|
|
574
|
+
[Unreleased]: https://github.com/github/licensed/compare/3.4.4...HEAD
|
data/Rakefile
CHANGED
data/docs/commands/status.md
CHANGED
|
@@ -39,30 +39,34 @@ The following data is reported for each dependency when the YAML or JSON report
|
|
|
39
39
|
|
|
40
40
|
### cached dependency record not found
|
|
41
41
|
|
|
42
|
-
|
|
43
|
-
|
|
42
|
+
*Cause:* A dependency was found while running `licensed status` that does not have a corresponding cached metadata file
|
|
43
|
+
|
|
44
|
+
*Resolution:* Run `licensed cache` to update the metadata cache and create the missing metadata file
|
|
44
45
|
|
|
45
46
|
### cached dependency record out of date
|
|
46
47
|
|
|
47
|
-
|
|
48
|
-
|
|
48
|
+
*Cause:* A dependency was found while running `licensed status` with a different version than is contained in the dependency's cached metadata file
|
|
49
|
+
|
|
50
|
+
*Resolution:* Run `licensed cache` to update the out-of-date metadata files
|
|
49
51
|
|
|
50
52
|
### missing license text
|
|
51
53
|
|
|
52
|
-
|
|
53
|
-
|
|
54
|
+
*Cause:* A license determination was made, e.g. from package metadata, but no license text was found.
|
|
55
|
+
|
|
56
|
+
*Resolution:* Manually verify whether the dependency includes a file containing license text. If the dependency code that was downloaded locally does not contain the license text, please check the dependency source at the version listed in the dependency's cached metadata file to see if there is license text that can be used.
|
|
54
57
|
|
|
55
58
|
If the dependency does not include license text but does specify that it uses a specific license, please copy the standard license text from a [well known source](https://opensource.org/licenses).
|
|
56
59
|
|
|
57
60
|
### license text has changed and needs re-review. if the new text is ok, remove the `review_changed_license` flag from the cached record
|
|
58
61
|
|
|
59
|
-
|
|
60
|
-
|
|
62
|
+
*Cause:* A dependency that is set as [reviewed] in the licensed configuration file has substantially changed and should be re-reviewed.
|
|
63
|
+
|
|
64
|
+
*Resolution:* Review the changes to the license text and classification, along with other metadata contained in the cached file for the dependency. If the dependency is still allowable for use in your project, remove the `review_changed_license` key from the cached record file.
|
|
61
65
|
|
|
62
66
|
### license needs review
|
|
63
67
|
|
|
64
|
-
|
|
65
|
-
|
|
68
|
+
*Cause:* A dependency is using a license that is not in the configured [allowed list of licenses][allowed], and the dependency has not been marked [ignored] or [reviewed].
|
|
69
|
+
*Resolution:* Review the dependency's usage and specified license with someone familiar with OSS licensing and compliance rules to determine whether the dependency is allowable. Some common resolutions:
|
|
66
70
|
|
|
67
71
|
1. The dependency's specified license text differed enough from the standard license text that it was not recognized and classified as `other`. If, with human review, the license text is recognizable then update the `license: other` value in the cached metadata file to the correct license.
|
|
68
72
|
- An updated classification will persist through version upgrades until the detected license contents have changed. The determination is made by [licensee/licensee](https://github.com/licensee/licensee), the library which this tool uses to detect and classify license contents.
|
data/docs/sources/pip.md
CHANGED
data/lib/licensed/sources/npm.rb
CHANGED
|
@@ -135,11 +135,25 @@ module Licensed
|
|
|
135
135
|
end
|
|
136
136
|
|
|
137
137
|
def missing_peer?(parent, dependency, name)
|
|
138
|
-
|
|
138
|
+
# return true if dependency is marked as "peerMissing"
|
|
139
|
+
return true if dependency["peerMissing"]
|
|
140
|
+
|
|
141
|
+
# return false unless the parent has registered the dependency
|
|
142
|
+
# as a peer
|
|
143
|
+
return false unless peer_dependency(parent, name)
|
|
144
|
+
# return true if the dependency itself is marked as missing
|
|
145
|
+
return true if dependency["missing"]
|
|
146
|
+
dependency.empty? && parent&.dig("peerDependenciesMeta", name, "optional")
|
|
139
147
|
end
|
|
140
148
|
|
|
141
149
|
def peer_dependency(parent, name)
|
|
142
|
-
parent
|
|
150
|
+
return unless parent.is_a?(Hash)
|
|
151
|
+
|
|
152
|
+
peerDependencies = parent["peerDependencies"]
|
|
153
|
+
# "peerDependencies" could be set to the string "[Circular]"
|
|
154
|
+
return unless peerDependencies.is_a?(Hash)
|
|
155
|
+
|
|
156
|
+
peerDependencies[name]
|
|
143
157
|
end
|
|
144
158
|
|
|
145
159
|
def extract_version(parent, name)
|
data/lib/licensed/sources/pip.rb
CHANGED
|
@@ -63,7 +63,10 @@ module Licensed
|
|
|
63
63
|
def virtual_env_dir
|
|
64
64
|
return @virtual_env_dir if defined?(@virtual_env_dir)
|
|
65
65
|
@virtual_env_dir = begin
|
|
66
|
-
|
|
66
|
+
python_config = config["python"]
|
|
67
|
+
return unless python_config.is_a?(Hash)
|
|
68
|
+
|
|
69
|
+
venv_dir = python_config["virtual_env_dir"]
|
|
67
70
|
File.expand_path(venv_dir, config.root) if venv_dir
|
|
68
71
|
end
|
|
69
72
|
end
|
|
@@ -32,7 +32,7 @@ module Licensed
|
|
|
32
32
|
mapped_packages = yarn_info.reduce({}) do |accum, package|
|
|
33
33
|
name, _ = package["value"].rpartition("@")
|
|
34
34
|
version = package.dig("children", "Version")
|
|
35
|
-
id = "#{name}
|
|
35
|
+
id = "#{name}@#{version}"
|
|
36
36
|
|
|
37
37
|
accum[name] ||= []
|
|
38
38
|
accum[name] << {
|
|
@@ -59,16 +59,6 @@ module Licensed
|
|
|
59
59
|
end
|
|
60
60
|
end
|
|
61
61
|
|
|
62
|
-
# Returns a hash that maps all dependency names to their location on disk
|
|
63
|
-
# by parsing every package.json file under node_modules.
|
|
64
|
-
def dependency_paths
|
|
65
|
-
@dependency_paths ||= Dir.glob(config.pwd.join("node_modules/**/package.json")).each_with_object({}) do |file, hsh|
|
|
66
|
-
dirname = File.dirname(file)
|
|
67
|
-
json = JSON.parse(File.read(file))
|
|
68
|
-
hsh["#{json["name"]}-#{json["version"]}"] = dirname
|
|
69
|
-
end
|
|
70
|
-
end
|
|
71
|
-
|
|
72
62
|
# Returns the output from running `yarn list` to get project dependencies
|
|
73
63
|
def yarn_info_command
|
|
74
64
|
args = %w(--json --manifest --recursive --all)
|
|
@@ -73,16 +73,6 @@ module Licensed
|
|
|
73
73
|
result
|
|
74
74
|
end
|
|
75
75
|
|
|
76
|
-
# Returns a hash that maps all dependency names to their location on disk
|
|
77
|
-
# by parsing every package.json file under node_modules.
|
|
78
|
-
def dependency_paths
|
|
79
|
-
@dependency_paths ||= Dir.glob(config.pwd.join("node_modules/**/package.json")).each_with_object({}) do |file, hsh|
|
|
80
|
-
dirname = File.dirname(file)
|
|
81
|
-
json = JSON.parse(File.read(file))
|
|
82
|
-
hsh["#{json["name"]}@#{json["version"]}"] = dirname
|
|
83
|
-
end
|
|
84
|
-
end
|
|
85
|
-
|
|
86
76
|
# Finds and returns the yarn package tree listing from `yarn list` output
|
|
87
77
|
def yarn_package_tree
|
|
88
78
|
return @yarn_package_tree if defined?(@yarn_package_tree)
|
|
@@ -23,6 +23,25 @@ module Licensed
|
|
|
23
23
|
def yarn_version
|
|
24
24
|
Gem::Version.new(Licensed::Shell.execute("yarn", "-v"))
|
|
25
25
|
end
|
|
26
|
+
|
|
27
|
+
# Returns a hash that maps all dependency names to their location on disk
|
|
28
|
+
# by parsing every package.json file under node_modules.
|
|
29
|
+
def dependency_paths
|
|
30
|
+
@dependency_paths ||= [
|
|
31
|
+
*Dir.glob(config.pwd.join("**/node_modules/*/package.json")),
|
|
32
|
+
*Dir.glob(config.pwd.join("**/node_modules/@*/*/package.json"))
|
|
33
|
+
].each_with_object({}) do |file, hsh|
|
|
34
|
+
begin
|
|
35
|
+
dirname = File.dirname(file)
|
|
36
|
+
json = JSON.parse(File.read(file))
|
|
37
|
+
hsh["#{json["name"]}@#{json["version"]}"] = dirname
|
|
38
|
+
rescue JSON::ParserError
|
|
39
|
+
# don't crash execution if there is a problem parsing a package.json file
|
|
40
|
+
# if the bad package.json file relates to a package that licensed should be reporting on
|
|
41
|
+
# then this will still result in an error about a missing package
|
|
42
|
+
end
|
|
43
|
+
end
|
|
44
|
+
end
|
|
26
45
|
end
|
|
27
46
|
end
|
|
28
47
|
end
|
data/lib/licensed/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: licensed
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.4.
|
|
4
|
+
version: 3.4.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- GitHub
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-02-08 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: licensee
|