Hi,
On Thu, Mar 21, 2019 at 1:45 PM Justin Mclean <justinmcl...@me.com> wrote: > > Hi, > > > These dependencies are all development time dependencies, which can be > > found in "devDependencies" section of package.json file. > > Anyone who compiles the source will get these and be unaware of them, that > seems a little problamatic to me. > > > For node-notifier, which is also a dev dependency, I am not sure how > > it is used in dubbo-admin. But I tried to remove it and build it, > > everything looks good. I think it can be removed. > > That would be best I think. To avoid things like this to happen again, I think we need to add some check when voting for the release. I tried to do the following: $ cd dubbo-admin-ui/node_module $ grep -rin --include=**/*LICENSE "GPL" . ./node-forge/LICENSE:2:GNU General Public License (GPL) Version 2. ./node-forge/LICENSE:8:If the GPL suits your project better you are also free to use Forge under It shows the node-forge module has contains GPL license, but looking into the license file, it is actually dual licensed with GPL (Category X) and BSD-3 clause (Category A). So I think it is fine. We may add more keywords mentioned in the Category X list. > > Thanks, > Justin -- Best Regards! Huxing
