spf13/viper uses hashicorp/hcl which is licensed under MPL-2.0 #1224
Labels
dependency
There's something we need addressed in a dependency
Comments
hansatgoogle
added
the
dependency
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Snyk scans are reporting a license issue with a dependency (spf13/viper) because it depends on github.com/hashicorp/[email protected] which has a MPL-2.0 license, for example see https://github.com/apigee/registry/actions/runs/6134116191/job/16646630540.
We could either remove our dependency on spf13/viper (which depends on hashicorp/hcl) or add an exception for this finding.
MPL just requires that any changes to the library are made open source under MPL. I think it's extremely unlikely we make any custom changes to hcl so it should be safe to add an exception for this. We could do that by creating a custom license policy in snyk (https://docs.snyk.io/manage-risk/policies/license-policies) or define a custom policy in this repo (https://docs.snyk.io/manage-risk/policies/the-.snyk-file#ignoring-the-license-with-the-cli).
The text was updated successfully, but these errors were encountered: