- Compared the Trivy and SPDX exports (
trivy-*.jsonvsspdx-*.json) to understand coverage gaps for Crossplatform, CrossplatformWeb, andts-packages. - Parsed
Crossplatform/Package.resolvedto catalogue all remote SwiftPM dependencies and documented them incodex-crossplatform.md. - Extracted the direct production dependencies from
CrossplatformWeb/package.jsonand grouped them into external vs. internal packages incodex-crossplatformweb.md. - Leveraged
spdx-crossplatform.jsonto enumerate every Cargo crate bundled intorustlib, producing the detailed table incodex-crossplatform-rust-crates.md. - Verified that
NimbleandSwiftCheckare confined to test targets so they can be excluded from runtime acknowledgements.
- Swift packages: Our list mirrors the 35 remote packages actually resolved for Crossplatform, whereas
claude-crossplatform.jsonadds nine extras (swift-atomics,swift-snapshot-testing,swift-case-paths, etc.) that originate from other workspaces or test/different targets. They should only appear in acknowledgements if their binaries ship with the product. - Rust crates: We captured 163 crates (including internal ones such as
fast_bezierandgn_crossplatform_rust), five more than the 158 recorded in Claude’s report. These additions represent in-house crates that still require license checks. - Web dependencies: Our CrossplatformWeb list aligns with Claude’s direct production dependencies except for handling the forked Mermaid bundles (
@mermaid-js/layout-tidy-tree,mermaid) as internal assets and a minor formatting fix needed forzod. Decide whether the forked tarballs should stay internal or be credited as third-party despite the forked distribution in the final acknowledgements.
| Package(s) | Ships with Crossplatform XP? | Evidence | Action |
|---|---|---|---|
@mermaid-js/layout-tidy-tree, mermaid |
Yes – pulled in as local tarballs from ts-private-forks/mermaid |
Dependency declared in CrossplatformWeb/package.json:221 & :258; upstream MIT license in ts-private-forks/mermaid/LICENSE |
Include MIT license text (and note fork source) in acknowledgements |
swift-atomics |
No – only referenced by Mac/iOS tooling packages (e.g. Packages/GNRealTimeApple/Package.swift:32) and absent from Crossplatform/Package.resolved |
rg "swift-atomics" Crossplatform/Package.resolved → no matches |
Exclude from XP acknowledgements |
swift-numerics |
No – scoped to math assistant tooling (Packages/GNMathAssistant/Package.swift:34), not in XP resolution list |
rg "swift-numerics" Crossplatform/Package.resolved → no matches |
Exclude |
swift-system |
No – used by Web/good-performance/Package.swift:54 for internal tooling, not part of WASM build |
No entry in Crossplatform/Package.resolved |
Exclude |
swift-snapshot-testing, swift-case-paths, swift-custom-dump |
Test-only – imported under CommonSwift/*/Tests targets with platform conditions excluding WASM (CommonSwift/GNTextEditor/Package.swift:89-138, CommonSwift/CommonRTC/Package.swift:167-205) |
Conditional .when(platforms: [.iOS, .macOS, .macCatalyst]) ensures they are not linked into the WASM targets |
Exclude |
SwiftGenPlugin |
Build-time only for asset/code generation in native apps (GN6iOSUI/Package.swift:31, Packages/GN6DesignSystem/Package.swift:15) |
No presence in XP manifest | Exclude |
package-benchmark, HdrHistogram |
Benchmark tooling executed outside production builds (CommonSwift/GNTextEditor/Package.swift:107-138) |
Not referenced by XP executable targets | Exclude |
fast_bezier, fast_bezier_c, gnyjs, gn_crossplatform_rust |
Goodnotes-owned crates bundled via Crossplatform/rustlib/Cargo.toml:8-14 |
Internal repos / path dependencies; no third-party license obligations discovered | Treat as internal (no external acknowledgement) |
uniffi_automerge |
Yes – Rust bridge for automerge-swift |
MIT license inherited from upstream automerge (already acknowledged in Swift section) | Ensure existing MIT notice covers both Swift and Rust layers |
- Pull verbatim license/NOTICE text for every shipping SwiftPM dependency and merge into the IOS-style acknowledgement draft.
- Run
yarn licenses generate-disclaimer(or equivalent) inCrossplatformWebto collect full license text for all production JS packages, including Mermaid. The code base (CrossplatformWeb/src/ffa/tools/diagram/swiftmermaid-bootstrap.ts) imports bothmermaidand@mermaid-js/layout-tidy-tree, so their MIT license must appear in the final acknowledgements. - Resolve any
NOASSERTIONentries incodex-crossplatform-rust-crates.mdby inspecting the corresponding crates and capturing their declared licenses. - Keep the audit artifacts (
codex-*) in sync with dependency bumps; re-run scans wheneverPackage.resolved,Cargo.lock, orpackage.jsonchanges.