From 2a44ee9d5c146851e01bee28de82a144b7e9be18 Mon Sep 17 00:00:00 2001
From: Mac Lockard <maclockard@gmail.com>
Date: Wed, 21 Jan 2026 16:59:50 -0700
Subject: [PATCH] Add license exception for `@img/sharp-libvips-linuxmusl-*`
 due to `LGPL-3.0-or-later`

---
 .github/workflows/dependency-review.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index bc4dc6e..62856f6 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -80,6 +80,7 @@ jobs:
           #             (https://github.com/clearlydefined/curated-data/pull/32066)
           # npm/bignumber.js: ClearlyDefined error showing inaccurate license
           # pypi/chardet: LGPL-2.1-or-later -- only approving as a one-off
+          # npm/@img/sharp*: LGPL-3.0-or-later -- only approving as a one-off; for local dev using claude code
           allow-dependencies-licenses: >-
             pkg:npm/@lancedb/lancedb,
             pkg:npm/@lancedb/lancedb-darwin-arm64,
@@ -104,7 +105,9 @@ jobs:
             pkg:maven/com.google.errorprone/error_prone_annotations,
             pkg:npm/canvas,
             pkg:npm/bignumber.js,
-            pkg:pypi/chardet
+            pkg:pypi/chardet,
+            pkg:npm/@img/sharp-libvips-linuxmusl-arm64,
+            pkg:npm/@img/sharp-libvips-linuxmusl-x64
 
           # Known vulnerabilities we're ok with ignoring.
           # These are generally because they are in an older python kernel