Review allowed licenses for dependencies introduced to the codebase 🔍

[JamieSlome]

@maoo - during our community call today, we discussed the existing caniuse-lite CC-BY 4.0 CI warning that is blocking #482.

To practice sensible caution, we should review the existing allow-licenses provided to the Dependency Review GitHub Action.

Tasks

Preview Give feedback

1. Review existing licenses of dependencies permissible to introduce to the codebase
2. Remove any allowed licenses that are not permissible
3. Add any licenses that are missing from the GitHub Action configuration

@coopernetes @abinash2512 - thank you for your contribution to the conversation today around license compliance ❤️ Extremely valuable insight.

[maoo]

Review existing licenses of dependencies permissible to introduce to the codebase - Done, all good, nothing to remove, see https://community.finos.org/docs/governance/software-projects/license-categories/

Re Add any licenses that are missing from the GitHub Action configuration , I would not add licenses that are not used; this will allow to use the dependency-review configuration as a curated list of licenses currently adopted in the project; worth noticing that - when we get to 2.0 - we'll have different configurations for different components.

WDYT?

[JamieSlome]

@maoo - makes sense; I think? 🤔

One more thing I would like to check is do we want to add any items to a deny-list for licenses?

[maoo]

@maoo - makes sense; I think? 🤔

One more thing I would like to check is do we want to add any items to a deny-list for licenses?

Yes, it probably makes sense.

The main ones are GPL-, AGPL- and LGPL-* , but the full list is on Full list is on https://community.finos.org/docs/governance/software-projects/license-categories/#category-x

[JamieSlome]

We are unable to configure both allow-licenses and deny-licenses at the same time (as shown in the PR above).

We can proceed with closing this issue as all of the requirements have been met. Thank you @maoo ❤️