50 lines
1.6 KiB
Bash
Executable File
50 lines
1.6 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
#
|
|
# License + security audit. Run from repo root.
|
|
# Backend deps live in /package.json; the Next.js app has its own under web/.
|
|
|
|
set -uo pipefail
|
|
|
|
ROOT="$(cd "$(dirname "$0")/.." && pwd)"
|
|
#
|
|
# LGPL-3.0-or-later: appears via sharp's native libvips binary (dynamically
|
|
# linked, permitted by LGPL).
|
|
# MPL-2.0: file-level copyleft. Permitted because we don't modify the MPL'd
|
|
# source files in web-push, lightningcss, etc. — only consume them as
|
|
# dependencies. If we ever fork an MPL'd file we must release that file.
|
|
ALLOWED='MIT;MIT-0;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC;CC0-1.0;Unlicense;0BSD;Python-2.0;CC-BY-4.0;BlueOak-1.0.0;LGPL-3.0-or-later;MPL-2.0'
|
|
|
|
echo "=== Backend npm license audit ==="
|
|
cd "$ROOT"
|
|
npx --yes license-checker --production --onlyAllow "$ALLOWED" --excludePackages 'vyndr@1.0.0' || backend_failed=1
|
|
|
|
echo ""
|
|
echo "=== Web npm license audit ==="
|
|
cd "$ROOT/web"
|
|
npx --yes license-checker --production --onlyAllow "$ALLOWED" --excludePackages 'vyndr-web@1.0.0' || web_failed=1
|
|
|
|
echo ""
|
|
echo "=== Python license audit (best-effort) ==="
|
|
if command -v pip-licenses >/dev/null 2>&1; then
|
|
pip-licenses --format=plain --with-license-file --no-license-path | head -50
|
|
else
|
|
echo "(pip-licenses not installed — run: pip install pip-licenses)"
|
|
fi
|
|
|
|
echo ""
|
|
echo "=== Backend security audit ==="
|
|
cd "$ROOT"
|
|
npm audit --omit=dev || true
|
|
|
|
echo ""
|
|
echo "=== Web security audit ==="
|
|
cd "$ROOT/web"
|
|
npm audit --omit=dev || true
|
|
|
|
echo ""
|
|
if [[ "${backend_failed:-0}" -eq 1 || "${web_failed:-0}" -eq 1 ]]; then
|
|
echo "License audit FAILED — review packages above."
|
|
exit 1
|
|
fi
|
|
echo "License audit clean."
|