License checker process/script

[UlisesGascon]

Recently, we had some concerns regarding licenses for the Node.js sub-dependencies, and there was a suggestion on nodejs/node#49625 to include a script that validates the licenses for the Node.js dependencies.

As an initial kick-off, we had this comment on nodejs/node#49625 (comment).

This will require a good discussion within the team, but overall potential objectives (from #1100) are:

• Include a script/GH Action that consolidates the project dependencies and stores them.
• Trigger an alert (issue/PR) if there are changes in the licenses (sub-dependency added/removed, relicensed).
• Create documentation on how to review these changes and what the criteria are to accept/reject them.

[fasenderos]

I would like to take this one.
Just to make sure I understand it correctly, when you say consolidates the project dependencies and stores them, you mean to save all the licenses in a separate file and checking against that file, or check the package LICENSE with the one already stored in repo?

[fraxken]

I'm interested in joining because that's something I'm working on for NodeSecure.

I spent quite few hours on license detection (and others) for NodeSecure/scanner. Most solution in the ecosystem doesn't detect much licenses compared what available in SPDX :\

[RafaelGSS]

Reference: https://github.com/nodejs/node/blob/main/.github/workflows/license-builder.yml

[richardlau]

Reference: https://github.com/nodejs/node/blob/main/.github/workflows/license-builder.yml

This merely rebuilds the main Node.js license based on what was manually added to tools/license-builder.sh -- i.e. it checks for consistency. It doesn't check the type of license or any sub-dependencies. For nodejs/node#49625 npm's main license was unchanged but the license of one of its dependencies changed.

[pombredanne]

@fraxken you wrote: #1104 (comment)

I'm interested in joining because that's something I'm working on for NodeSecure.

I spent quite few hours on license detection (and others) for NodeSecure/scanner. Most solution in the ecosystem doesn't detect much licenses compared what available in SPDX :\

If you want to give the node and its deps and embedded code a good license scrub, you may want to check out scancode-toolkit (or scancode.io) which is considered the leading FOSS tool in space. If there is any license or copyright not detected correctly, this is a bug. And we fix bugs. Also does SBOMs.

[github-actions]

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.