mirror of
https://github.com/n8n-io/n8n.git
synced 2026-06-19 07:36:52 +00:00
fix: Move unstable PURL-pinned overrides to version-agnostic byName (#31985)
Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Declan Carroll
@@ -1,11 +1,6 @@
|
||||
{
|
||||
"_comment": "Hand-resolved licenses for packages cdxgen + FETCH_LICENSE cannot resolve. 'overrides' are PURL-pinned (pkg:npm/<name>@<version>, exact match) and drive the release-closure SBOM — a pin that stops matching fails loudly so the license is re-verified on the bump. 'byName' is version-agnostic (keyed by package name) for licenses stable across versions; it resolves the same package at whatever version a container image installed (e.g. ssh2 ships both 1.15.0 and 1.16.0 in the image, both MIT). 'elections' record which license n8n elects for a validly dual-licensed (OR) dependency so a copyleft policy gate reads the elected term. 'source' records where each was verified. Optional 'skipDiskText: true' opts out of on-disk LICENSE text lookup when the file disagrees with the overridden id.",
|
||||
"overrides": {
|
||||
"pkg:npm/wa-sqlite@1.0.9": {
|
||||
"license": "MIT",
|
||||
"source": "https://github.com/rhashimoto/wa-sqlite — LICENSE file in published tarball confirms MIT. Package is installed via GitHub tarball URL so npm registry metadata is absent; no license field in package.json.",
|
||||
"skipDiskText": true
|
||||
},
|
||||
"pkg:npm/nub@0.0.0": {
|
||||
"license": "MIT",
|
||||
"source": "https://www.npmjs.com/package/nub — package.json declares non-SPDX 'MIT/X11'; X11 is the historical alias for the MIT license. Normalised to the canonical SPDX id."
|
||||
@@ -18,10 +13,6 @@
|
||||
"license": "BSD-2-Clause",
|
||||
"source": "compiled/node_modules/duck/LICENSE — 2-clause BSD text (Copyright 2013 Michael Williamson; no 'neither the name ... endorse' clause). package.json declares bare 'BSD'; resolved to the matching SPDX variant."
|
||||
},
|
||||
"pkg:npm/%40rudderstack/rudder-sdk-node@3.0.5": {
|
||||
"license": "MIT",
|
||||
"source": "compiled/node_modules/@rudderstack/rudder-sdk-node/LICENSE.md — verbatim MIT (Copyright Segment Inc.), no license field in package.json"
|
||||
},
|
||||
"pkg:npm/%40ewoudenberg/difflib@0.1.0": {
|
||||
"license": "Python-2.0",
|
||||
"source": "https://github.com/ewoudenberg/difflib.js — package.json declares legacy licenses[] array with PSF type, http://docs.python.org/license.html"
|
||||
@@ -46,10 +37,6 @@
|
||||
"license": "MIT",
|
||||
"source": "compiled/node_modules/seq-queue/LICENSE — verbatim MIT, no license field in package.json"
|
||||
},
|
||||
"pkg:npm/ssh2@1.15.0": {
|
||||
"license": "MIT",
|
||||
"source": "compiled/node_modules/ssh2/LICENSE — package.json uses legacy licenses[] array"
|
||||
},
|
||||
"pkg:npm/streamsearch@1.1.0": {
|
||||
"license": "MIT",
|
||||
"source": "compiled/node_modules/streamsearch/LICENSE — package.json uses legacy licenses[] array"
|
||||
@@ -64,6 +51,14 @@
|
||||
"license": "MIT",
|
||||
"source": "compiled/node_modules/ssh2/LICENSE — MIT; package.json uses a legacy licenses[] array so cdxgen leaves it unresolved. Version-agnostic: a container image can install more than one ssh2 (e.g. 1.15.0 and 1.16.0 side by side), and the license is MIT across versions."
|
||||
},
|
||||
"@rudderstack/rudder-sdk-node": {
|
||||
"license": "MIT",
|
||||
"source": "compiled/node_modules/@rudderstack/rudder-sdk-node/LICENSE.md — verbatim MIT (Copyright Segment Inc.), no license field in package.json. Version-agnostic: the package appears at multiple versions in the lockfile (direct dep + peer-dep resolution) and is actively maintained; name-keyed matching avoids version-pin drift."
|
||||
},
|
||||
"wa-sqlite": {
|
||||
"license": "MIT",
|
||||
"source": "https://github.com/rhashimoto/wa-sqlite — LICENSE file in published tarball confirms MIT. Package is installed via GitHub tarball URL so npm registry metadata is absent; no license field in package.json. Version-agnostic: the PURL emitted by cdxgen for tarball installs can vary (version field vs. commit SHA vs. qualifiers) depending on lockfile format and cdxgen version; name-keyed matching is stable across those variations."
|
||||
},
|
||||
"@n8n_io/license-sdk": {
|
||||
"license": "LicenseRef-n8n-enterprise",
|
||||
"source": "n8n-io/license-management — ships LICENSE_EE.md (n8n Enterprise License). EE-only runtime component; not under the Sustainable Use License. Version-agnostic: license is stable across SDK versions. FIRST_PARTY_PATTERNS would otherwise incorrectly stamp it as LicenseRef-n8n-sustainable-use.",
|
||||
|
||||
@@ -361,20 +361,17 @@ describe('renderSbom — edge cases', () => {
|
||||
|
||||
it('all documented overrides resolve to zero unresolved (end-to-end)', async () => {
|
||||
const purls = [
|
||||
'pkg:npm/%40rudderstack/rudder-sdk-node@3.0.5',
|
||||
'pkg:npm/%40ewoudenberg/difflib@0.1.0',
|
||||
'pkg:npm/binascii@0.0.2',
|
||||
'pkg:npm/busboy@1.6.0',
|
||||
'pkg:npm/imap@0.8.19',
|
||||
'pkg:npm/js-nacl@1.4.0',
|
||||
'pkg:npm/seq-queue@0.0.5',
|
||||
'pkg:npm/ssh2@1.15.0',
|
||||
'pkg:npm/streamsearch@1.1.0',
|
||||
'pkg:npm/utf7@1.0.2',
|
||||
'pkg:npm/nub@0.0.0',
|
||||
'pkg:npm/xml-escape@1.1.0',
|
||||
'pkg:npm/duck@0.1.12',
|
||||
'pkg:npm/wa-sqlite@1.0.9',
|
||||
];
|
||||
const sbom = {
|
||||
components: purls.map((purl) => {
|
||||
|
||||
Reference in New Issue
Block a user