Skip to content

Commit 74a9b75

Browse files
authored
Merge pull request #71 from symonbaikov/fix/dark-mode-remaining-light-areas
chore: tighten dependency license scan
2 parents 4afba3c + b80564c commit 74a9b75

18 files changed

Lines changed: 31 additions & 700 deletions

.github/workflows/ci.yml

Lines changed: 28 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -368,9 +368,12 @@ jobs:
368368
needs: [lint, typecheck]
369369
env:
370370
ALLOWED_LICENSES: >-
371-
MIT;MIT*;Apache-2.0;ISC;BSD;BSD*;BSD-2-Clause;BSD-3-Clause;0BSD;Unlicense;UNLICENSED;
372-
Python-2.0;BlueOak-1.0.0;LGPL;LGPL-2.1;LGPL-3.0;LGPL-3.0-or-later;CC0-1.0;CC-BY-4.0;
373-
(MIT AND Zlib);(MIT AND BSD-3-Clause);(BSD-3-Clause OR GPL-2.0);(AFL-2.1 OR BSD-3-Clause)
371+
MIT;MIT*;MIT-0;Apache-2.0;ISC;BSD;BSD*;BSD-2-Clause;BSD-3-Clause;0BSD;Unlicense;
372+
Python-2.0;BlueOak-1.0.0;LGPL;LGPL-2.1;LGPL-3.0;LGPL-3.0-or-later;MPL-2.0;CC0-1.0;CC-BY-4.0;WTFPL;
373+
(MIT OR Apache-2.0);(MIT OR CC0-1.0);(MIT OR EUPL-1.1+);(WTFPL OR MIT);(WTFPL OR ISC);
374+
(BSD-2-Clause OR MIT OR Apache-2.0);(MIT AND Zlib);(MIT AND BSD-3-Clause);(MIT OR GPL-3.0-or-later);
375+
(BSD-3-Clause OR GPL-2.0);(AFL-2.1 OR BSD-3-Clause);(Apache-2.0 AND LGPL-3.0-or-later);
376+
(Apache-2.0 AND LGPL-3.0-or-later AND MIT)
374377
steps:
375378
- name: Checkout
376379
uses: actions/checkout@v4
@@ -385,25 +388,45 @@ jobs:
385388
cache-dependency-path: |
386389
package-lock.json
387390
backend/package-lock.json
391+
electron/package-lock.json
388392
frontend/package-lock.json
393+
website/package-lock.json
394+
395+
- name: Install root deps (no scripts)
396+
run: npm ci --ignore-scripts
389397

390398
- name: Install backend deps (no scripts)
391399
run: npm ci --prefix backend --ignore-scripts
392400

401+
- name: Install electron deps (no scripts)
402+
run: npm ci --prefix electron --ignore-scripts
403+
393404
- name: Install frontend deps (no scripts)
394405
run: npm ci --prefix frontend --ignore-scripts
395406

407+
- name: Install website deps (no scripts)
408+
run: npm ci --prefix website --ignore-scripts
409+
396410
- name: Backend audit (high/critical)
397411
run: npx audit-ci@9.4.0 --config backend/audit-ci.json --package-manager npm --path backend
398412

399413
- name: Frontend audit (high/critical)
400414
run: npm audit --audit-level=high --prefix frontend
401415

416+
- name: Root license compliance
417+
run: npx license-checker@25.0.1 --excludePrivatePackages --onlyAllow "$ALLOWED_LICENSES" --start .
418+
402419
- name: Backend license compliance
403-
run: npx license-checker@25.0.1 --production --onlyAllow "$ALLOWED_LICENSES" --start backend
420+
run: npx license-checker@25.0.1 --excludePrivatePackages --onlyAllow "$ALLOWED_LICENSES" --start backend
421+
422+
- name: Electron license compliance
423+
run: npx license-checker@25.0.1 --excludePackages lumio-desktop@1.0.0 --onlyAllow "$ALLOWED_LICENSES" --start electron
404424

405425
- name: Frontend license compliance
406-
run: npx license-checker@25.0.1 --production --onlyAllow "$ALLOWED_LICENSES" --start frontend
426+
run: npx license-checker@25.0.1 --excludePrivatePackages --onlyAllow "$ALLOWED_LICENSES" --start frontend
427+
428+
- name: Website license compliance
429+
run: npx license-checker@25.0.1 --excludePrivatePackages --onlyAllow "$ALLOWED_LICENSES" --start website
407430

408431
secrets-scan:
409432
runs-on: ubuntu-latest

docs/security/ALLOWLISTS.md

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,8 @@ Configured in `backend/audit-ci.json` and used by `dependency-scan` job:
1212

1313
## License exceptions
1414

15-
`dependency-scan` runs license checks with a permissive allowlist that currently permits LGPL artifacts required by the build:
15+
`dependency-scan` runs license checks for dependencies in all npm package roots, including dev dependencies. The allowlist only permits open-source licenses and intentionally excludes `UNLICENSED` dependency packages.
1616

17-
- `pdf2json` (LGPL) transitively pulled by `pdf2table` in the backend.
18-
- `@img/sharp-libvips-*` (LGPL) required by Next.js image pipeline.
17+
- `@img/sharp-libvips-*` (LGPL) required by `sharp`/Next.js image processing.
1918

20-
If licensing requirements change, adjust the `ALLOWED_LICENSES` string in `.github/workflows/ci.yml` and tighten/removing these exceptions.
19+
If licensing requirements change, adjust the `ALLOWED_LICENSES` string in `.github/workflows/ci.yml` and tighten/remove these exceptions.

knip.json

Lines changed: 0 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -254,27 +254,6 @@
254254
"sidebars.*"
255255
]
256256
}
257-
},
258-
"react-email-starter": {
259-
"entry": [
260-
"emails/**/*.{ts,tsx}",
261-
"components/**/*.{ts,tsx}",
262-
"package.json"
263-
],
264-
"project": [
265-
"**/*.{ts,tsx,js,jsx}"
266-
],
267-
"ignoreBinaries": [
268-
"email"
269-
],
270-
"ignoreDependencies": [
271-
"react",
272-
"react-dom",
273-
"react-email",
274-
"@react-email/preview-server",
275-
"@types/react",
276-
"@types/react-dom"
277-
]
278257
}
279258
},
280259
"tags": [

react-email-starter/emails/notion-magic-link.tsx

Lines changed: 0 additions & 149 deletions
This file was deleted.

0 commit comments

Comments
 (0)