Add license exception for @img/sharp-libvips-linuxmusl-* due to LGPL-3.0-or-later#33
Add license exception for @img/sharp-libvips-linuxmusl-* due to LGPL-3.0-or-later#33
@img/sharp-libvips-linuxmusl-* due to LGPL-3.0-or-later#33Conversation
…PL-3.0-or-later`
reedloden
force-pushed
the
ml/claude-exceptions
branch
from
5389210 to
2a44ee9
Compare
maclockard
force-pushed
the
ml/claude-exceptions
branch
from
2a44ee9 to
9f1c770
Compare
reedloden
changed the title
@img/sharp-libvips-linuxmusl-* due to LGPL-3.0-or-later
reedloden
force-pushed
the
ml/claude-exceptions
branch
from
9f1c770 to
2a44ee9
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| pkg:pypi/chardet | ||
| pkg:pypi/chardet, | ||
| pkg:npm/@img/sharp-libvips-linuxmusl-arm64, | ||
| pkg:npm/@img/sharp-libvips-linuxmusl-x64 |
There was a problem hiding this comment.
Missing platform variants for sharp license exceptions
Low Severity
The comment at line 83 says npm/@img/sharp* implying all sharp packages need license exceptions, but only two linuxmusl variants are added to allow-dependencies-licenses. The @img/sharp-libvips-* packages exist for multiple platforms (darwin-arm64, darwin-x64, linux-arm64, linux-x64, win32-x64, etc.) that all likely have the same LGPL-3.0-or-later license. The lancedb entry in this same file demonstrates the pattern of listing all platform variants. If the dependency review encounters non-linuxmusl variants in the lockfile, those would fail the license check.
Additional Locations (1)
2 participants
Description
Motivated by https://github.com/hex-inc/hex/pull/38936. These dependencies are needed for claude code, a dev only dependency
Testing