From 3c91b496c99e9135d92c28dea128ac15676aae49 Mon Sep 17 00:00:00 2001
From: Jeff Robertson <jrobertson@hex.tech>
Date: Wed, 28 Jan 2026 15:46:41 -0500
Subject: [PATCH 1/2] allow pypi packages in python3.12 kernel

---
 .github/workflows/dependency-review.yml | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 62856f6..4e84fc6 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -81,6 +81,14 @@ jobs:
           # npm/bignumber.js: ClearlyDefined error showing inaccurate license
           # pypi/chardet: LGPL-2.1-or-later -- only approving as a one-off
           # npm/@img/sharp*: LGPL-3.0-or-later -- only approving as a one-off; for local dev using claude code
+          # pypi/protobuf: BSD-3-Clause AND LicenseRef-scancode-protobuf -- permitted for standard usage
+          # pypi/aiohappyeyeballs: 0BSD AND BSD-3-Clause AND others -- permitted for standard usage
+          # pypi/fonttools: Apache-2.0 AND BSD-3-Clause AND MIT AND OFL-1.1 -- permitted for standard usage
+          # pypi/psycopg2: LGPL-2.0-or-later AND LGPL-3.0-or-later -- approving as a one-off
+          # pypi/pyproj: LicenseRef-scancode-us-govt-public-domain AND MIT -- permitted for standard usage
+          # pypi/pytz: MIT AND ZPL-2.1 -- permitted for standard usage
+          # pypi/shapely: BSD-3-Clause AND LGPL-2.1-only -- approving as a one-off
+          # pypi/typing-extensions: Python-2.0 AND GPL-1.0-or-later AND others -- permitted for standard usage
           allow-dependencies-licenses: >-
             pkg:npm/@lancedb/lancedb,
             pkg:npm/@lancedb/lancedb-darwin-arm64,
@@ -107,7 +115,15 @@ jobs:
             pkg:npm/bignumber.js,
             pkg:pypi/chardet,
             pkg:npm/@img/sharp-libvips-linuxmusl-arm64,
-            pkg:npm/@img/sharp-libvips-linuxmusl-x64
+            pkg:npm/@img/sharp-libvips-linuxmusl-x64,
+            pkg:pypi/protobuf,
+            pkg:pypi/aiohappyeyeballs,
+            pkg:pypi/fonttools,
+            pkg:pypi/psycopg2,
+            pkg:pypi/pyproj,
+            pkg:pypi/pytz,
+            pkg:pypi/shapely,
+            pkg:pypi/typing-extensions
 
           # Known vulnerabilities we're ok with ignoring.
           # These are generally because they are in an older python kernel

From 7cf6f756f04c945eb3b1ef6a0888e1c5b83d7160 Mon Sep 17 00:00:00 2001
From: Reed Loden <reed@hex.tech>
Date: Wed, 28 Jan 2026 17:15:29 -0800
Subject: [PATCH 2/2] Add several new licenses and clean-up some exceptions

---
 .github/workflows/dependency-review.yml | 22 ++++++++--------------
 1 file changed, 8 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 4e84fc6..54f8203 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -50,16 +50,20 @@ jobs:
             CC0-1.0,
             EPL-2.0,
             ISC,
-            LicenseRef-scancode-public-domain,
             LicenseRef-scancode-generic-cla,
+            LicenseRef-scancode-protobuf,
+            LicenseRef-scancode-public-domain,
+            LicenseRef-scancode-us-govt-public-domain,
             MIT,
             MIT-0,
             MPL-2.0,
+            OFL-1.1,
             PSF-2.0,
             Python-2.0,
             Python-2.0.1,
             Unlicense,
             WTFPL,
+            ZPL-2.1,
             Zlib
 
           # npm/@lancedb/lancedb*: Temporary addition due to upstream non-compliance with SPDX
@@ -81,14 +85,9 @@ jobs:
           # npm/bignumber.js: ClearlyDefined error showing inaccurate license
           # pypi/chardet: LGPL-2.1-or-later -- only approving as a one-off
           # npm/@img/sharp*: LGPL-3.0-or-later -- only approving as a one-off; for local dev using claude code
-          # pypi/protobuf: BSD-3-Clause AND LicenseRef-scancode-protobuf -- permitted for standard usage
-          # pypi/aiohappyeyeballs: 0BSD AND BSD-3-Clause AND others -- permitted for standard usage
-          # pypi/fonttools: Apache-2.0 AND BSD-3-Clause AND MIT AND OFL-1.1 -- permitted for standard usage
-          # pypi/psycopg2: LGPL-2.0-or-later AND LGPL-3.0-or-later -- approving as a one-off
-          # pypi/pyproj: LicenseRef-scancode-us-govt-public-domain AND MIT -- permitted for standard usage
-          # pypi/pytz: MIT AND ZPL-2.1 -- permitted for standard usage
-          # pypi/shapely: BSD-3-Clause AND LGPL-2.1-only -- approving as a one-off
-          # pypi/typing-extensions: Python-2.0 AND GPL-1.0-or-later AND others -- permitted for standard usage
+          # pypi/psycopg2: LGPL-2.0-or-later AND LGPL-3.0-or-later -- only approving as a one-off
+          # pypi/shapely: LGPL-2.1-only -- only approving as a one-off
+          # pypi/typing-extensions: License detection is wrong (not GPL)
           allow-dependencies-licenses: >-
             pkg:npm/@lancedb/lancedb,
             pkg:npm/@lancedb/lancedb-darwin-arm64,
@@ -116,12 +115,7 @@ jobs:
             pkg:pypi/chardet,
             pkg:npm/@img/sharp-libvips-linuxmusl-arm64,
             pkg:npm/@img/sharp-libvips-linuxmusl-x64,
-            pkg:pypi/protobuf,
-            pkg:pypi/aiohappyeyeballs,
-            pkg:pypi/fonttools,
             pkg:pypi/psycopg2,
-            pkg:pypi/pyproj,
-            pkg:pypi/pytz,
             pkg:pypi/shapely,
             pkg:pypi/typing-extensions