Comment by Emil Moe on "How do you handle OSS licenses?"

The hard part is especially NPM since of the dependency load it's impossible to keep track of all the licenses.

I don't know if they have anything to prevent problems.

in theory, you should only have to check your own dependencies, because every one else has to make sure they only publish modules which are compatible with all of their dependency licenses.

That's a good point thanks

The way a lot of people use Browserify and Webpack is totally illegal - if it strips copyright notices in code comments from the JS source as it minifies it ;)

Are you sure about that? I mean it's not possible to take that piece of code (in theory yes, in reality no) out and use it. It should be considered the same as compiling source code for applications. In that case you also removes license informations.

@emilmoe License information has to be included, even in compiled products. Compiled products usually have to produce the license texts at some point. Take google as an example. When using google, open chrome://credits/.

There must be someone who has found a clever way to do this the legal way? I must admit I just use gulp --production which strips out all comments and licenses.

One could maybe be to extract all LICENSE files to a credits page like the one you show me.

https://yarnpkg.com/en/docs/cli/licenses

and

yarn licenses generate-disclaimer

I'm not using yarn for anything else, would it be too heavy load just for this?

@pdavis @maruru @tomhodgins

I found this https://www.npmjs.com/package/nlf

@emilmoe That's a nice tool for an overview, thanks for sharing! However, the problem is that a module might contain a slightly modified version of a license and you still have the problem that you don't ship them.

Well, for node applications, its easy, since when you download the packages, the license texts will probably be in the appropriate directory... but browsers are a completely different matter

@maruru What do you mean with browsers? The problem is JavaScript applications as I see it, because backend (PHP etc) can't be exposed so the license just stays

@emilmoe the backend is ok, since you do not compress them and probably just do npm i ., which leaves all the licenses in place. But as for the browser, you usually strip everything using webpack or something similar. So you ship libraries without licenses, which is not ok and has to be handled in some way, no?

Search Hashnode