From e77dd74a70e105f6099a001eeefed5df3023ab0f Mon Sep 17 00:00:00 2001 From: Declan Carroll Date: Wed, 10 Jun 2026 08:47:53 +0100 Subject: [PATCH] fix: Move unstable PURL-pinned overrides to version-agnostic byName (#31985) Co-authored-by: Claude Sonnet 4.6 (1M context) --- scripts/licenses/license-overrides.json | 21 ++++++++------------ scripts/licenses/render-licenses-md.test.mjs | 3 --- 2 files changed, 8 insertions(+), 16 deletions(-) diff --git a/scripts/licenses/license-overrides.json b/scripts/licenses/license-overrides.json index 2f77bcf6a33..cdbbff19e5c 100644 --- a/scripts/licenses/license-overrides.json +++ b/scripts/licenses/license-overrides.json @@ -1,11 +1,6 @@ { "_comment": "Hand-resolved licenses for packages cdxgen + FETCH_LICENSE cannot resolve. 'overrides' are PURL-pinned (pkg:npm/@, exact match) and drive the release-closure SBOM — a pin that stops matching fails loudly so the license is re-verified on the bump. 'byName' is version-agnostic (keyed by package name) for licenses stable across versions; it resolves the same package at whatever version a container image installed (e.g. ssh2 ships both 1.15.0 and 1.16.0 in the image, both MIT). 'elections' record which license n8n elects for a validly dual-licensed (OR) dependency so a copyleft policy gate reads the elected term. 'source' records where each was verified. Optional 'skipDiskText: true' opts out of on-disk LICENSE text lookup when the file disagrees with the overridden id.", "overrides": { - "pkg:npm/wa-sqlite@1.0.9": { - "license": "MIT", - "source": "https://github.com/rhashimoto/wa-sqlite — LICENSE file in published tarball confirms MIT. Package is installed via GitHub tarball URL so npm registry metadata is absent; no license field in package.json.", - "skipDiskText": true - }, "pkg:npm/nub@0.0.0": { "license": "MIT", "source": "https://www.npmjs.com/package/nub — package.json declares non-SPDX 'MIT/X11'; X11 is the historical alias for the MIT license. Normalised to the canonical SPDX id." @@ -18,10 +13,6 @@ "license": "BSD-2-Clause", "source": "compiled/node_modules/duck/LICENSE — 2-clause BSD text (Copyright 2013 Michael Williamson; no 'neither the name ... endorse' clause). package.json declares bare 'BSD'; resolved to the matching SPDX variant." }, - "pkg:npm/%40rudderstack/rudder-sdk-node@3.0.5": { - "license": "MIT", - "source": "compiled/node_modules/@rudderstack/rudder-sdk-node/LICENSE.md — verbatim MIT (Copyright Segment Inc.), no license field in package.json" - }, "pkg:npm/%40ewoudenberg/difflib@0.1.0": { "license": "Python-2.0", "source": "https://github.com/ewoudenberg/difflib.js — package.json declares legacy licenses[] array with PSF type, http://docs.python.org/license.html" @@ -46,10 +37,6 @@ "license": "MIT", "source": "compiled/node_modules/seq-queue/LICENSE — verbatim MIT, no license field in package.json" }, - "pkg:npm/ssh2@1.15.0": { - "license": "MIT", - "source": "compiled/node_modules/ssh2/LICENSE — package.json uses legacy licenses[] array" - }, "pkg:npm/streamsearch@1.1.0": { "license": "MIT", "source": "compiled/node_modules/streamsearch/LICENSE — package.json uses legacy licenses[] array" @@ -64,6 +51,14 @@ "license": "MIT", "source": "compiled/node_modules/ssh2/LICENSE — MIT; package.json uses a legacy licenses[] array so cdxgen leaves it unresolved. Version-agnostic: a container image can install more than one ssh2 (e.g. 1.15.0 and 1.16.0 side by side), and the license is MIT across versions." }, + "@rudderstack/rudder-sdk-node": { + "license": "MIT", + "source": "compiled/node_modules/@rudderstack/rudder-sdk-node/LICENSE.md — verbatim MIT (Copyright Segment Inc.), no license field in package.json. Version-agnostic: the package appears at multiple versions in the lockfile (direct dep + peer-dep resolution) and is actively maintained; name-keyed matching avoids version-pin drift." + }, + "wa-sqlite": { + "license": "MIT", + "source": "https://github.com/rhashimoto/wa-sqlite — LICENSE file in published tarball confirms MIT. Package is installed via GitHub tarball URL so npm registry metadata is absent; no license field in package.json. Version-agnostic: the PURL emitted by cdxgen for tarball installs can vary (version field vs. commit SHA vs. qualifiers) depending on lockfile format and cdxgen version; name-keyed matching is stable across those variations." + }, "@n8n_io/license-sdk": { "license": "LicenseRef-n8n-enterprise", "source": "n8n-io/license-management — ships LICENSE_EE.md (n8n Enterprise License). EE-only runtime component; not under the Sustainable Use License. Version-agnostic: license is stable across SDK versions. FIRST_PARTY_PATTERNS would otherwise incorrectly stamp it as LicenseRef-n8n-sustainable-use.", diff --git a/scripts/licenses/render-licenses-md.test.mjs b/scripts/licenses/render-licenses-md.test.mjs index 8d49a41a4d1..7169bd7a285 100644 --- a/scripts/licenses/render-licenses-md.test.mjs +++ b/scripts/licenses/render-licenses-md.test.mjs @@ -361,20 +361,17 @@ describe('renderSbom — edge cases', () => { it('all documented overrides resolve to zero unresolved (end-to-end)', async () => { const purls = [ - 'pkg:npm/%40rudderstack/rudder-sdk-node@3.0.5', 'pkg:npm/%40ewoudenberg/difflib@0.1.0', 'pkg:npm/binascii@0.0.2', 'pkg:npm/busboy@1.6.0', 'pkg:npm/imap@0.8.19', 'pkg:npm/js-nacl@1.4.0', 'pkg:npm/seq-queue@0.0.5', - 'pkg:npm/ssh2@1.15.0', 'pkg:npm/streamsearch@1.1.0', 'pkg:npm/utf7@1.0.2', 'pkg:npm/nub@0.0.0', 'pkg:npm/xml-escape@1.1.0', 'pkg:npm/duck@0.1.12', - 'pkg:npm/wa-sqlite@1.0.9', ]; const sbom = { components: purls.map((purl) => {