Ensure that all node modules used in production build are GPLv2+ compatible

[aaronjorbin]

With Guteneberg requiring almost 300 different node modules, we need to make sure anything that gets shipped to our end users is licensed in a GPL compatible way.

Using license-checker to look at all this:

$ license-checker --summary --production
├─ MIT: 221
├─ ISC: 35
├─ BSD-2-Clause: 6
├─ Apache-2.0: 5
├─ BSD-3-Clause: 5
├─ BSD: 3
├─ GPL-2.0+: 2
├─ Custom: https://s.w.org/style/images/codeispoetry.png: 2
├─ Apache License, Version 2.0: 2
├─ GPL-3.0: 1
├─ Custom: https://make.wordpress.org/design/handbook/design-guide/browser-support/: 1
├─ CC0-1.0: 1
├─ Custom: https://codex.wordpress.org/I18n: 1
├─ Custom: https://google.com: 1
├─ BSD*: 1
├─ GPL-2.0*: 1
├─ (WTFPL OR MIT): 1
├─ Custom: https://make.wordpress.org/accessibility/2015/04/15/let-wordpress-speak-new-in-wordpress-4-2/: 1
├─ (MIT AND CC-BY-3.0): 1
├─ Unlicense: 1
└─ (GPL-2.0 OR MIT): 1

The Apache-2.0 licensed isn't compatible with GPL v2, so we will need to find replacements for, convince them to update their license, or ensure they aren't included in the production build:

doctrine@2.1.0 Apache-2.0
eslint-visitor-keys Apache-2.0
mousetrap Apache-2.0
rx-lite Apache License, Version 2.0
rx-lite-aggregates Apache License, Version 2.0
spdx-correct Apache-2.0
validate-npm-package-license Apache-2.0

Also, there is one GPL3 module
dom-react GPL-3.0

This isn't exhaustive and we likely need to go through each submodule by hand to ensure we don't inadvertently include something like code mirror's jshint file (which core did).

[Lewiscowles1986]

Pretty sure Apache, BSD & MIT can become GPL, just not the other way. Also, WP has had MIT code in the past I'm sure.

[Lewiscowles1986]

AFAIK WP is GPL 2+, so GPL 3 code is more of a problem due to threat against TiVo (more WP.com concern). IANAL though

[aaronjorbin]

MIT, BSD, ISC and the CC licenses are fine, which is why I only highlighted the Apachev2 and GPL3 modules.

Apache v2 isn't GPL2 compatible. https://www.gnu.org/licenses/license-list.html#apache2

GPL3 isn't GPL2 compatible: https://www.gnu.org/licenses/license-list.en.html#GNUGPL

[pento]

Whee, thanks for the summary, @aaronjorbin.

How did you generate that list of packages? It seems like it's included some that shouldn't be there.

doctrine: included as a dependency of eslint-plugin-import, which is a dependency of react-datepicker. Later version of react-datepicker remove this dependency, so upgrading appears to be a simple solution.

eslint-visitor-keys, rx-lite, rx-lite-aggregates: these are dependencies (or sub-dependencies) of eslint, which is a devDependency. I don't know why they're listed.

mousetrap: This is a direct dependency, and will need to be replaced.

spdx-correct, validate-npm-package-license: These are sub-dependencies of node-sass, which is a devDependency.

dom-react: The contributors to this module are @iseulde and @aduth, who I hope would agree to re-license it as GPLv2. 😉

[aaronjorbin]

@pento Thanks so much for investigating further.

I used https://github.com/davglass/license-checker, specificlly license-checker --summary --production to get the list of liscenses and then license-checker --production --exclude 'MIT,ISC,BSD-2-Clause,BSD-3-Clause,BSD,GPL-2.0+,GPL-2.0*' to get the other packages.

I think it might be worthwhile to automate this is in some way and also make it more reliable.

[ntwb]

FYI: validate-npm-package-license is also a dependency of init-package-json which is a dependency of npm, to which I just ran the license-checker against npm itself:

mkdir tmp && cd tmp && npm i npm --save
npx license-checker --summary --production

npx: installed 739 in 12.253s
├─ MIT: 232
├─ ISC: 98
├─ BSD-2-Clause: 13
├─ MIT*: 11
├─ BSD-3-Clause: 10
├─ Apache-2.0: 8
├─ Artistic-2.0: 4
├─ CC0-1.0: 3
├─ (WTFPL OR MIT): 3
├─ ISC*: 2
├─ Custom: https://travis-ci.org/ember-cli/ember-cli.svg: 1
├─ (MIT OR Apache-2.0): 1
├─ Apache 2.0: 1
├─ (BSD-2-Clause OR MIT OR Apache-2.0): 1
├─ AFLv2.1,BSD: 1
├─ (BSD-2-Clause OR MIT): 1
├─ CC-BY-3.0: 1
└─ Unlicense: 1

Because npm itself depends upon 8 packages that are Apache-2.0 licensed does that make npm itself not compatable with the GPLv2+ and prevents us from using npm at all?

[pento]

I agree this should be automated. npm ls --production is probably a good starting point, I can put together a command to use that.

We can use npm, because npm is a build tool, it's not a library we distribute.

[pento]

Who loves piping commands? We love piping commands!

$ npm ls --production --parseable | xargs -I {} jq --raw-output '.name + " " + ( .license // .licenses[0].type )' '{}/package.json' | ack -v '^.* .*(MIT|GPL-2|ISC|BSD|CC0).*$'
dom-react GPL-3.0
mousetrap Apache-2.0
validate-npm-package-license Apache-2.0
spdx-correct Apache-2.0
spdx-license-ids Unlicense

After upgrading react-datepicker to 1.4.1 and showdown to 1.8.6 (but not actually testing if they work), I get:

dom-react GPL-3.0
mousetrap Apache-2.0

[pento]

react-datepicker and showdown have been upgraded, their dependencies are no longer causing issues.

dom-react has been relicensed as GPL2+, and will be upgraded when a new version is released.

I've asked the mousetrap author if they'd be willing to relicense (or dual license). We can wait and see for that.

[mtias]

Sounds like this is covered now. Please, reopen if not.