UNKNOWN licences incorrectly shown for many NodeJS packages
Hi
To pick a random example, domhandler is shown as "UNKNOWN" despite being marked as BSD 2-clause in the module's GitHub repo and NPM entry
This seems to be more prevalent with NodeJS modules than with other languages.
If it's simply a case that someone needs to go through and manually suggest a licence via VersionEye's "Suggest a licence" option, let me know and I will find an intern to do the work :)
Glenn.
Comments (8)
-
-
- marked as proposal
-
Hi @glennproctor. VersionEye is fetching the license info from the NPMRegistry directly and stores the license to each version. You links to NPM and GitHub points to the newest version of the module and to that we have the license information on VersionEye as well: https://www.versioneye.com/nodejs/domhandler/2.4.1.
Your VersionEye links points to version 2.1.0. To that version the NPMRegistry doesn't expose any license information.
Here is the JSON for the current version:
If you know for sure that version 2.1.0 has the same license as the newest version then you suggest that. If you have students who can do that manual research then please let them do the job. I'm happy to support them. I'm not kidding. There are many versions there we have to manually check the license.
-
- changed status to resolved
I close this, because it's not a bug. But we can continue the discussion here anyway. I'm open for improvements.
-
I made research -
GithubLicenseCrawler
won't help much as thedomhandler
has only 3 releases on Github and those versions have already license tags.Is there any reasoning why we cant transfer latest version license to previous releases without license?
-
Account Deactivated reporter Thanks for following up on this, and apologies for not replying sooner - I've been on holiday.
I didn't appreciate that licences were specific to the version of a package; of course that makes sense now that I think about it.
Just so I'm certain, when we update to the latest version of domhandler (and others), which do have a licence, it will be recognised - is this correct?
If so that's fine - I don't think we're tied to particular versions of any of the packages we're using.
@timgluz - I'd be nervous about backfilling licences the way you mention, it seems like imposing a licence that the author may not have intended. Perhaps if VersionEye could warn something like "your project is using version 2.1.0 which has no licence but the latest version 2.4.1 is BSD 2-Clause"?
Glenn.
-
Hi @glennproctor. I hope you had nice holidays. That's correct. The license(s) are always bound to a specific version. If you update to the newest version and VersionEye has a license for it, then it will show up in your project report. I like your idea of displaying a note about the license of the newest version if the license for the currently used version is not available.
@timgluz Every version can have a different license. There are many projects which changed their license over time. For example the iText project, which is super popular in the Java world. The older versions of iText are available under MPL-1.1, but then in the newer version they switched to AGPL license. That means you can use the older version in commercial software without doubt, but the newest version license requires you to open source your solution or to buy a commercial license. That's why it's very important that we keep the licenses attached to versions.
-
@timgluz I will check out the
GitHubLicenseCrawler
today. - Log in to comment
@reiz GithubLicenseCrawler can do the job faster than intern