1. Home
  2. Categories
  3. Support
  4. Whitelist npm packages licenses

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Whitelist npm packages licenses

  • P

    I'm currently evaluating ProGet Basic (we're using the free version for some years now), and especially the license filtering, but I'm having issues with packages which don't specify the license correctly.
    We own a commercial license for Kendo-React from Telerik, that consists of a lot of npm packages. For example:

    They all have a license of "SEE LICENSE IN LICENSE.md" and ProGet seems to only be able to create a licensing rule (I deny everything, and whitelist specific licenses) with that exact SPDX. But that has a big side effect: any package with that license, will be allowed. Which makes the license checking unreliable, since we're losing control over which licenses we really want to allow.

    So my question: is there a feature planned for whitelisting specific packages (preferably with a specific version as well, since licenses can change between versions)?

    While writing I think that a possible workaround would be to create a scoped registry specific for the @progress packages, but that would probably not work well with global license filters. Any other suggestions?

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    Well, that's an interesting way to specify an embedded license file. I don't know if that's a convention or specification, but that seems to be a new way of handling it. It's kind of documented now, which is good: https://docs.npmjs.com/cli/v8/configuring-npm/package-json#license

    Anyways, we already handle this for NuGet packages using a URL convention like this:

    • No license - packageid://Aspose.Words/21.9.0
    • File license -package://Aspose.Words/21.9.0/License\Aspose_End-User-License-Agreement.txt

    Those will be defaulted in the fields if the package specifies no license or a file license.

    Not sure if it works now for npm packages, but it'd be relatively easy to adoption that convention, and then suggest it when the "license" field starts with "SEE LICENSE IN"...

    Anyways we'll investigate this and update in a day or two.

    Cheers,
    Alana

    1
  • atripp
    inedo-engineer

    Hi @p-boeren_9744 ,

    I added support to have npm packages treat SEE LICENSE IN as a embedded file licenses via PG-2085.

    It now looks like this, and blocks/allows package:

    b651386f-8d59-4829-b6a3-692f136124a4-image.png

    This will be released in this week's upcoming maintenance release.
    Cheers,
    Alana

    0
  • P

    That's great! Thanks!

    0
  • P

    Would it be possible to take the "show/hide prerelease" option into account when assigning a license? Now it always takes the latest package (which quite often is a pre-release version) which is a bit confusing. For example (License URL is for a 5.1.0 dev version):

    9df35036-e965-43c1-b71e-d649b927f716-image.png

    0 dean-houston 1 Reply
  • dean-houston
    inedo-engineer

    @p-boeren_9744 sure thing!

    Never noticed it before, but I just fixed as PG-2100 - and it'll go in 6.0.9 (🎯 Feb 25)

    0
  • P

    When trying to add a license via the API for a certain feed, the license is allowed at all feeds (thus created at global level).

    When I create a license via the api (api/management/licenses/create) with this body:

    {
  "licenseId": "package://@progress/kendo-react-grid/5.0.1/",
  "title": "package://@progress/kendo-react-grid/5.0.1/",
  "urls": [
    "package://@progress/kendo-react-grid/5.0.1/package/LICENSE.md"
  ],
  "allowed": true,
  "allowedFeeds": ["NpmLicenseTest"],
  "blockedFeeds": []
}

    The license is properly created according to the api (api/management/licenses/list):

     {
        "licenseId": "package://@progress/kendo-react-grid/5.0.1/",
        "title": "package://@progress/kendo-react-grid/5.0.1/",
        "urls": [
            "package://@progress/kendo-react-grid/5.0.1/package/LICENSE.md"
        ],
        "allowed": true,
        "allowedFeeds": [
            "NpmLicenseTest"
        ],
        "blockedFeeds": []
    },
    {
        "licenseId": "package://@progress/kendo-react-popup/5.0.1/",
        "title": "package://@progress/kendo-react-popup/5.0.1/",
        "urls": [
            "package://@progress/kendo-react-popup/5.0.1/package/LICENSE.md"
        ],
        "allowed": true,
        "allowedFeeds": [
            "NpmLicenseTest"
        ],
        "blockedFeeds": []
    },

    (the popup, license was added via the UI), but the license is actually created at global level (and thus visible in all other feeds):

    c5926d0e-373b-4716-80dd-f23c57e93548-image.png

    Do I call the API incorrectly, or is this a bug?

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    Hi @p-boeren_9744 ,

    The documentation isn't very clear 🙄

    I had to look this up myself in the code. If you set the allowed property, then a global rule is also created. Therefore, the following should work instead:

    {
  "licenseId": "package://@progress/kendo-react-grid/5.0.1/",
  "title": "package://@progress/kendo-react-grid/5.0.1/",
  "urls": [
    "package://@progress/kendo-react-grid/5.0.1/package/LICENSE.md"
  ],
  "allowedFeeds": ["NpmLicenseTest"]
}

    Cheers,
    Alana

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation