Skip to content

Add npm check to validate no unwanted licenses are used in node modules #27832

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
gertjanal wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add npm check to validate no unwanted licenses are used in node modules #27832

gertjanal wants to merge 1 commit into from
+17 −4

Conversation

@gertjanal
Copy link
Contributor

@gertjanal gertjanal commented Jan 2, 2026
edited
Loading

Description

Added npm run check:licenses to check if the package-lock.json contains any unwanted license like AGPL.

Live demo in this PR #27779

[INFO] > [email protected] check:licenses
[INFO] > TEMP=$(mktemp); jq .packages[].license package-lock.json | grep -v 'null' | sort | uniq > $TEMP; DIFFERENCES=$(grep -vxf ../allowed-licenses.txt $TEMP); DIFF_COUNT=$(echo -n $DIFFERENCES | wc -c); rm $TEMP; if [ $DIFF_COUNT != '0' ]; then echo '\033[0;31mLicense found in package-lock.json that is not in allowed-licenses.txt'; echo $DIFFERENCES; exit 1; fi
[INFO] 
[INFO] License found in package-lock.json that is not in allowed-licenses.txt
[INFO] "AGPL-3.0-or-later"
[INFO]

Release notes

( X ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
( ) Release notes are required, with the following suggested text:

@cla-bot cla-bot bot added the cla-signed label Jan 2, 2026
@github-actions github-actions bot added the ui Web UI label Jan 2, 2026
@gertjanal gertjanal marked this pull request as ready for review January 6, 2026 19:36
@gertjanal gertjanal mentioned this pull request Jan 6, 2026
Draft
@gertjanal gertjanal requested review from findepi and martint January 6, 2026 19:37
@gertjanal gertjanal marked this pull request as draft January 6, 2026 19:58
@gertjanal gertjanal force-pushed the npm-agpl-check branch 2 times, most recently from f59bc87 to 9f2c08c Compare January 6, 2026 20:12
@gertjanal gertjanal marked this pull request as ready for review January 6, 2026 20:18
@mosabua
Copy link
Member

mosabua commented Jan 6, 2026

I think thats a good idea. We might need to expand to other licenses that are incompatible with Apache but this is a good start

@gertjanal gertjanal marked this pull request as draft January 7, 2026 10:19
@gertjanal
Copy link
Contributor Author

gertjanal commented Jan 7, 2026
edited
Loading

Note to self:
grep '"license": "' core/trino-web-ui/src/main/resources/webapp-preview/package-lock.json | sort | uniq

{
      "license": "0BSD",
      "license": "AGPL-3.0-or-later", // In PR #27779
      "license": "Apache-2.0",
      "license": "BSD-2-Clause",
      "license": "BSD-3-Clause"
      "license": "BSD-3-Clause",
      "license": "CC-BY-4.0"
      "license": "ISC"
      "license": "ISC",
      "license": "MIT",
      "license": "MIT",
      "license": "MIT AND ISC",
      "license": "OFL-1.1",
      "license": "Python-2.0",
      "license": "Unlicense"
}

And for the original webapp:

{
      "license": "Apache-2.0"
      "license": "Apache-2.0",
      "license": "BSD-2-Clause"
      "license": "BSD-2-Clause",
      "license": "BSD-3-Clause"
      "license": "BSD-3-Clause",
      "license": "CC-BY-4.0"
      "license": "ISC"
      "license": "ISC",
      "license": "MIT"
      "license": "MIT",
}

findepi
findepi reviewed Jan 7, 2026
View reviewed changes
findepi
findepi reviewed Jan 7, 2026
View reviewed changes
@gertjanal gertjanal force-pushed the npm-agpl-check branch 2 times, most recently from a6f3740 to b36d113 Compare January 7, 2026 12:45
@gertjanal gertjanal changed the title Add npm check to validate no AGPL licenses are used in node modules Add npm check to validate no unwanted licenses are used in node modules Jan 8, 2026
@gertjanal gertjanal marked this pull request as ready for review January 9, 2026 00:13
@gertjanal gertjanal requested a review from mosabua January 9, 2026 00:13
chenjian2664
chenjian2664 reviewed Jan 9, 2026
View reviewed changes
core/trino-web-ui/src/main/resources/webapp/src/package.json
"flow": "flow",
"check": "npm install && flow && prettier --check **/*.js **/*.jsx *.js *.jsx",
"check:clean": "npm clean-install && flow && prettier --check **/*.js **/*.jsx *.js *.jsx",
"check": "npm install && flow && prettier --check **/*.js **/*.jsx *.js *.jsx && npm run check:licenses",
Copy link
Contributor

@chenjian2664 chenjian2664 Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the check triggered while building, or at some later stage, just wanna confirm if user push commits multi times, will the check run every time?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@findepi findepi findepi left review comments

@martint martint Awaiting requested review from martint

@mosabua mosabua Awaiting requested review from mosabua

+1 more reviewer

@chenjian2664 chenjian2664 chenjian2664 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cla-signed ui Web UI

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gertjanal @mosabua @findepi @chenjian2664