New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

spf13/viper uses hashicorp/hcl which is licensed under MPL-2.0 #1224

Open

hansatgoogle opened this issue Sep 11, 2023 · 0 comments

Labels

dependency

Collaborator

hansatgoogle commented Sep 11, 2023

Snyk scans are reporting a license issue with a dependency (spf13/viper) because it depends on github.com/hashicorp/[email protected] which has a MPL-2.0 license, for example see https://github.com/apigee/registry/actions/runs/6134116191/job/16646630540.

We could either remove our dependency on spf13/viper (which depends on hashicorp/hcl) or add an exception for this finding.

MPL just requires that any changes to the library are made open source under MPL. I think it's extremely unlikely we make any custom changes to hcl so it should be safe to add an exception for this. We could do that by creating a custom license policy in snyk (https://docs.snyk.io/manage-risk/policies/license-policies) or define a custom policy in this repo (https://docs.snyk.io/manage-risk/policies/the-.snyk-file#ignoring-the-license-with-the-cli).

hansatgoogle added the dependency label

github-project-automation bot added this to Apigee API Registry

github-project-automation bot moved this to Inbox in Apigee API Registry

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment