[Question] licenses and generate-disclaimer #5503
Replies: 11 comments 2 replies
-
Hello 👋 We felt like those commands had a too fringe use case to be part of the core offering. Additionally there are various ways such tools could be expanded and configured, and trying to support them (and keep up with feature requests) would put an unwanted additional burden on our team. The good news is, those commands are exactly the kind of thing we had in mind when designing the plugin API, so it's entirely possible to implement them in userspace (and share your implementation with the community if you so wish). The plugin documentation is admittedly a bit sparse at the moment as we're working on improving that. In the meantime, you can check the plugin tutorial on the website and the plugin sources in this repo to get an idea of how it works. |
Beta Was this translation helpful? Give feedback.
-
Hi again! Thanks for your fast response. I had a look at the codebase unfortunately I do not really understand how to achieve the following thing: Get all dependencies for a given import { resolve } from "path";
class ProductionDependencies {
private all: string[] = [];
constructor(packageJsonPath: string) {
this.fetchAll(Object.keys(require(packageJsonPath).dependencies));
}
public fetchAll(deps: string[]) {
for (const dep of deps) {
if (this.all.indexOf(dep) === -1) {
// eslint-disable-next-line @typescript-eslint/no-var-requires
const pkg = require(require.resolve(`${dep}/package.json`));
this.fetchAll(Object.keys(pkg.dependencies || [])); // devDependencies is not needed for license check and disclaimer
console.log(pkg.name, pkg.license || pkg.licenses || "UNKNOWN");
}
}
this.all.push(...deps);
}
}
new ProductionDependencies(resolve("./package.json")); I am thinking of creating a public package - I also do not promise if I create the package because perhaps someone maintaining a similar package is open to create a yarn plugin. I do not know yet if it will be a yarn plugin or a standalone package so it can be used with So, I will note further things in this issue (just for myself, perhaps it can be interesting for others):
The This are just thoughts how it can be implemented - I got inspired by the already implemented |
Beta Was this translation helpful? Give feedback.
-
I've just pushed up a plugin that adds It only does Check it out and let me know if you have any feedback. |
Beta Was this translation helpful? Give feedback.
-
@arcanis I've written a plugin that provides |
Beta Was this translation helpful? Give feedback.
-
I think we should add a "community plugins" page on the website to list those 🤔 |
Beta Was this translation helpful? Give feedback.
-
Did you have something in mind? I'd be happy to contribute that to the website, but I'm not sure where you would want it, or how you would want to manage it. |
Beta Was this translation helpful? Give feedback.
-
I also created an open source plugin for auditing licenses: https://github.com/tophat/yarn-plugin-licenses. It's still early stage, and needs some cleanup to the project (mainly tests), but as it's written right now, it can complement @mhassan1's plugin, as the commands don't conflict ( |
Beta Was this translation helpful? Give feedback.
-
@noahnu thanks for your reply. Does the plugin you provide support per-package audit? We need to manage multiple licenses per project. :-) |
Beta Was this translation helpful? Give feedback.
-
@matzeeable I plan on cleaning it up a bit. At the moment it lets you specify a license validator (RegEx/predicate function) in a config file and then runs your license validator against all licenses for all installed dependencies (including transitive dependencies) in your project. It runs against the entire project at the moment, but wouldn't be much work to constrain the scope to a specific workspace, and allow finer filtering on dev dependencies vs. prod depepndencies vs. peer, etc. It doesn't generate disclaimers. You can use @mhassan1's plugin for that. |
Beta Was this translation helpful? Give feedback.
-
Adding to the list: We use license-checker-webpack-plugin. It's a license checker that's deeply integrated with Webpack, so it shows you only the licenses of packages that are still left after tree shaking 🙂 |
Beta Was this translation helpful? Give feedback.
-
For people, stumbling upon this ticket via Getting Started > CLI Commands > Removed from core, please note this plugin is listed on Features > Plugins > Contrib plugins P.S. Especially for people like me who overlook Kurt-von-Laven's mention on Apr 29, 2021 🤭 |
Beta Was this translation helpful? Give feedback.
-
Hi yarn team,
Awesome work on berry! I am working on an open source project (https://github.com/devowlio/wp-react-starter) and want to migrate yarn to berry. I want to benefit from faster install times also on my CI pipeline. Generally, I had a look at "issues" which can be caused by upgrading. The first thing I note:
What happened to this commands? They seem not to be available / ported. Are they on the roadmap? Are there better alternatives?
Best regards,
Matthew 🙂
Beta Was this translation helpful? Give feedback.
All reactions