Forums

p.boeren_9744

When trying to add a license via the API for a certain feed, the license is allowed at all feeds (thus created at global level).

When I create a license via the api (api/management/licenses/create) with this body:

{
  "licenseId": "package://@progress/kendo-react-grid/5.0.1/",
  "title": "package://@progress/kendo-react-grid/5.0.1/",
  "urls": [
    "package://@progress/kendo-react-grid/5.0.1/package/LICENSE.md"
  ],
  "allowed": true,
  "allowedFeeds": ["NpmLicenseTest"],
  "blockedFeeds": []
}

The license is properly created according to the api (api/management/licenses/list):

 {
        "licenseId": "package://@progress/kendo-react-grid/5.0.1/",
        "title": "package://@progress/kendo-react-grid/5.0.1/",
        "urls": [
            "package://@progress/kendo-react-grid/5.0.1/package/LICENSE.md"
        ],
        "allowed": true,
        "allowedFeeds": [
            "NpmLicenseTest"
        ],
        "blockedFeeds": []
    },
    {
        "licenseId": "package://@progress/kendo-react-popup/5.0.1/",
        "title": "package://@progress/kendo-react-popup/5.0.1/",
        "urls": [
            "package://@progress/kendo-react-popup/5.0.1/package/LICENSE.md"
        ],
        "allowed": true,
        "allowedFeeds": [
            "NpmLicenseTest"
        ],
        "blockedFeeds": []
    },

(the popup, license was added via the UI), but the license is actually created at global level (and thus visible in all other feeds):

Do I call the API incorrectly, or is this a bug?

p.boeren_9744

Would it be possible to take the "show/hide prerelease" option into account when assigning a license? Now it always takes the latest package (which quite often is a pre-release version) which is a bit confusing. For example (License URL is for a 5.1.0 dev version):

p.boeren_9744

That's great! Thanks!

p.boeren_9744

I'm currently evaluating ProGet Basic (we're using the free version for some years now), and especially the license filtering, but I'm having issues with packages which don't specify the license correctly.
We own a commercial license for Kendo-React from Telerik, that consists of a lot of npm packages. For example:

They all have a license of "SEE LICENSE IN LICENSE.md" and ProGet seems to only be able to create a licensing rule (I deny everything, and whitelist specific licenses) with that exact SPDX. But that has a big side effect: any package with that license, will be allowed. Which makes the license checking unreliable, since we're losing control over which licenses we really want to allow.

So my question: is there a feature planned for whitelisting specific packages (preferably with a specific version as well, since licenses can change between versions)?

While writing I think that a possible workaround would be to create a scoped registry specific for the @progress packages, but that would probably not work well with global license filters. Any other suggestions?

p.boeren_9744

I have sent a Fiddler dump to the mentioned email, hopefully confirming the thoughts of @Dan_Woolf.

Can you confirm that this is indeed the case? Will save @lockhead some time :)

p.boeren_9744

@p.boeren_9744

Best posts made by p.boeren_9744

Latest posts made by p.boeren_9744