Allow CC-BY/Python-2.0 licenses, waive lightningcss MPL#134
Open
gtbuchanan wants to merge 1 commit into
Open
Conversation
Add CC-BY-3.0, CC-BY-4.0, and Python-2.0 to allow-licenses. All are permissive/attribution-only (no copyleft) and appear only as dev-only transitive deps: spdx-exceptions (CC-BY-3.0), caniuse-lite (CC-BY-4.0), argparse (Python-2.0). Waive lightningcss (and its platform binaries) via allow-dependencies-licenses rather than allow-listing MPL-2.0 globally, so any future MPL dependency still trips the CI gate. lightningcss is a dev-only build tool pulled transitively through vite/vitest. This is the shared policy file; consumers inherit it through the dependency-review.yml config-file default.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Audited the license of every installed dependency against the shared dependency-review allowlist (
.github/dependency-review-config.yml) and reconciled the gaps. All flagged packages are dev-only transitive dependencies — none ship in published runtime artifacts.allow-licensesadditionsCC-BY-3.0spdx-exceptionsCC-BY-4.0caniuse-litePython-2.0argparseallow-dependencies-licenses(new section)lightningcssis MPL-2.0 (file-level copyleft), pulled transitively through vite/vitest as a dev-only build tool. Rather than allow-listing MPL-2.0 globally — which would silently pass any future MPL dependency, including a runtime one — it's waived by name. This preserves the CI gate for other MPL deps. All 11 platform binaries are enumerated since the action has no wildcard support.Not changed
spawndamnitreports asUnknownonly because it declaresSEE LICENSE IN LICENSE; its LICENSE file is MIT. No action needed.(MIT OR CC0-1.0)entries already pass — both disjuncts are allowed.Scope note
This is the shared policy file. Consumers inherit it through the
config-filedefault in the reusabledependency-review.ymlworkflow, so the license additions and the lightningcss waiver apply downstream too. That's intentional — consumers pull lightningcss through the same shared vitest/vite stack, so sharing the waiver avoids every consumer having to duplicate the exception.Note
No changeset included (CI-config-only change).
changeset-checkwill fail unless an empty changeset is added.🤖 Generated with Claude Code