Comments (4)
tobysmith568
commented on May 19, 2024
Hey @64bit ,
Generate-License-File should already be filtering out dev dependencies for you.
Are you finding that your output does contain dev dependencies?
If so, would you mind please sharing a package.json and package-lock.json repro with us?
Thanks!
from generate-license-file.
64bit
commented on May 19, 2024
That's wonderful!
I have attached zip file containing both json files (Github doesn't let me upload json file directly).
Here's my observation: In generated license txt file I see Creative Commons for caniuse-lite package then running npm ls caniuse-lite shows it comes from autoprefixer (and root?) which is a devDependencies and hence the reported Issue:
[email protected] /home/himanshu/license-generator
└─┬ [email protected]
├─┬ [email protected]
│ └── [email protected] deduped
└── [email protected]
from generate-license-file.
tobysmith568
commented on May 19, 2024
Ah okay, so I think I've gotten to the bottom of this.
In your package-lock.json on line 1311 you can see that [email protected] lists [email protected] as a normal dependency, not a devDependency. However, on line 30 you can see that [email protected] is listed as a devDependency of your project, meaning in theory that [email protected] is therefore in turn a devDependency from the perspective of your project.
The problem (and what npm ls seems to have not shown you) is that on line 1606 you can see that [email protected] (that gets deduped to [email protected]) is a peerDependency of [email protected]. If you follow that up the dependency tree to line 12 then you can see daisyui is listed as one of your normal dependencies. Through this route (caniuse-lite <- autoprefixer <- daisyui) caniuse-lite is not a "pure" devDependency.
For me this raises two questions:
- Should generate-license-file show the licenses for packages that list those you depend on as peerDependencies?
- Should
daisyuilistautoprefixeras a peerDependency?
For 1) I'm not 100% sure but I'm leaning towards "yes". If your project has a normal dependency on package-a and package-b lists package-a as a peerDependency then that implies "while package-a does not directly require/import from package-b, it will discover it dynamically and run its code". To me that means the code from package-b is run in your project and should be listed.
For 2) I'm also not 100% sure but I'm learning towards "no". I'm not familiar with daisyui but from what I can see:
- You use
daisyuiversion 2.51.5 - Back in version 2.51.5 they listed
autoprefixeras a peerDependency - However they only ever required/imported it as a devDependency
- In their current version (3.1.0) they've removed
autoprefixeras a peerDependency and it's just a DevDependency
In conclusion, I believe that in reality caniuse-lite is a devDependency of your project but generate-license-file is treating it as a normal dependency because daisyui used to incorrectly list autoprefixer as a peerDependency. If you were to update daisyui to 3.1.0 then I believe generate-license-file would stop showing caniuse-lite.
from generate-license-file.
64bit
commented on May 19, 2024
Hey @tobysmith568 , Truly appreciate your humongous effort to see what's going on and explaining in detail!
Your reasoning makes sense to me, the responsibility should be on packages to list dependency accurately. Fortunately, caniuse-lite doesn't put NC , ND restrictions so its not a blocker and I can update to daisyui 3.1.0 when time comes.
I'm closing this since generate-license-file is working as expected.
Thank you!
from generate-license-file.
Related Issues (11)
- Messy license notice in some instances HOT 17
- Update dependencies to latest where possible HOT 1
- feature request: exclude current repo's license HOT 3
- Notice prefix in plural when a single package is addressed
- --config command does not work HOT 16
- Only dependencies are considered, no devDependencies HOT 4
- Inconsistent inclusion of peerDependencies HOT 2
- Error when importing the result of getProjectLicenses in a component [ANGULAR] HOT 1
- Programmatic use =>Many errors HOT 3
- Illegal operation on a directory HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from generate-license-file.