|
From: | Jelle Licht |
Subject: | Re: npm (mitigation) |
Date: | Sat, 15 Jul 2017 05:57:56 +0200 |
On Fri, Jul 14, 2017 at 13:57:30 +0200, Jelle Licht wrote:
> Regardless, the biggest issue that remains is still that npm-land is mired
> in cyclical dependencies and a fun-but-not-actually unique dependency
> resolving scheme.
I still think the largest issue is trying to determine if a given
package and its entire [cyclic cluster] subgraph is Free. That's a lot
of manual verification to be had (to verify any automated
checks). npm's package.json does include a `license' field, but that is
metadata with no legal significance, and afaik _defaults_ to "MIT"
(implying Expat), even if there's actually no license information in the
repository.
[Prev in Thread] | Current Thread | [Next in Thread] |