1. VersionEye Avatar VersionEye
  2. VersionEye
  3. versioneye
  4. Issues

UNKNOWN licences incorrectly shown for many NodeJS packages

Issue #384 resolved
Glenn Proctor created an issue

Hi

To pick a random example, domhandler is shown as "UNKNOWN" despite being marked as BSD 2-clause in the module's GitHub repo and NPM entry

This seems to be more prevalent with NodeJS modules than with other languages.

If it's simply a case that someone needs to go through and manually suggest a licence via VersionEye's "Suggest a licence" option, let me know and I will find an intern to do the work :)

Glenn.

Comments (8)

  3. Robert Reiz

    Hi @glennproctor. VersionEye is fetching the license info from the NPMRegistry directly and stores the license to each version. You links to NPM and GitHub points to the newest version of the module and to that we have the license information on VersionEye as well: https://www.versioneye.com/nodejs/domhandler/2.4.1.

    Your VersionEye links points to version 2.1.0. To that version the NPMRegistry doesn't expose any license information.

    Screen Shot 2017-05-29 at 19.03.18.png

    Here is the JSON for the current version:

    Screen Shot 2017-05-29 at 19.02.16.png

    If you know for sure that version 2.1.0 has the same license as the newest version then you suggest that. If you have students who can do that manual research then please let them do the job. I'm happy to support them. I'm not kidding. There are many versions there we have to manually check the license.

  4. Robert Reiz

    I close this, because it's not a bug. But we can continue the discussion here anyway. I'm open for improvements.

  5. Timo Sulg

    I made research - GithubLicenseCrawler won't help much as the domhandler has only 3 releases on Github and those versions have already license tags.

    Is there any reasoning why we cant transfer latest version license to previous releases without license?

  6. Glenn Proctor Account Deactivated reporter

    Thanks for following up on this, and apologies for not replying sooner - I've been on holiday.

    I didn't appreciate that licences were specific to the version of a package; of course that makes sense now that I think about it.

    Just so I'm certain, when we update to the latest version of domhandler (and others), which do have a licence, it will be recognised - is this correct?

    If so that's fine - I don't think we're tied to particular versions of any of the packages we're using.

    @timgluz - I'd be nervous about backfilling licences the way you mention, it seems like imposing a licence that the author may not have intended. Perhaps if VersionEye could warn something like "your project is using version 2.1.0 which has no licence but the latest version 2.4.1 is BSD 2-Clause"?

    Glenn.

  7. Robert Reiz

    Hi @glennproctor. I hope you had nice holidays. That's correct. The license(s) are always bound to a specific version. If you update to the newest version and VersionEye has a license for it, then it will show up in your project report. I like your idea of displaying a note about the license of the newest version if the license for the currently used version is not available.

    @timgluz Every version can have a different license. There are many projects which changed their license over time. For example the iText project, which is super popular in the Java world. The older versions of iText are available under MPL-1.1, but then in the newer version they switched to AGPL license. That means you can use the older version in commercial software without doubt, but the newest version license requires you to open source your solution or to buy a commercial license. That's why it's very important that we keep the licenses attached to versions.

  9. Log in to comment
Assignee
Type
proposal
Priority
major
Status
resolved
Component
VersionEye-WWW
Milestone
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!