[DISCUSS] Think twice before adding an npm dependency

[Carlos Santana <cs...@gmail.com>]

Hi I wanted to share some insight about the experience we had when we try
to include the cordova cli, plugins, and platform with our IBM product
MobileFirst Platform Foundation (ealier know as Worklight).

Version 7.1 that we released in Aug/2015, was the first time we shipped the
cordova cli, and the nodejs related files with the product.

One aspect of doing this was legal clearance, we didn't have any issues
with the code author by the Cordova project, were we found we needed some
assistance ws with the npm dependencies that cordova-cli, cordova-lib, and
platforms depended on.

I'm attaching the license info for all the packages we needed to clear by
IBM legal team, this took time but was not that bad because only one
package was red flagged.

If someone is planning to re-distribute cordova then I hope it can benefit
you.

The reason that it took time is because some packages didn't have a a
license easy to find, other didn't have a license, so legal team needed to
contact package owner.

Edna Morales was the one involved working with Edna, she did a great
dealing with all no so fun legal requirements.

Here is an example of some packages that was not clear about their license:
commander 0.5.2; connect 1.8.5; and cookie-signature 0.0.1. But Edna
figured it out that some were devDependencies, and others were MIT

I wan to discuss some more at the F2F on how do we make it easier to ship
cordova with a third party product, or if not shipping telling customer to
go ahead to get cordova on their own and give them some type of confidence
that cordova doesn't have any legal problems to download and install to
later integrate our ibm product.

One would assume that Cordova being under Apache, there should not be so
many headches and so much legal work to re-distribute.

With this I'm not saying that we never depend on 3rd party open source, or
that don't refresh those dependencies. Some of the npm libraries that we
use are good to depend on like 'q', 'shelljs', 'glob', 'npm', but others
have a large dependency graph with questionable dependencies underneath

Now we are planning to add express as new npm dependency to cordova-cli,
brining with it 43 npm packages for us to clear on the next release of our
product. Not complaining but want you to be aware that when you add one
dependency you bring along all the dependency tree with it and the impact
that this causes downstream.

I'm writing this email with a positive tone to make project better, foster
open source, and to bring in to perspective some items that some of you
might already be aware and some other might not be aware.

Sorry for the long email, but by know you should already know me well :-)

Re: [DISCUSS] Think twice before adding an npm dependency

[Carlos Santana <cs...@gmail.com>]

I can ask the StrongLoop for their legal clearance and be done with it :-)

On Mon, Oct 5, 2015 at 10:41 PM Tim Barham <Ti...@microsoft.com> wrote:

> > Now we are planning to add express as new npm dependency to cordova-cli,
> > brining with it 43 npm packages for us to clear on the next release of
> our
> > product.
>
> Heh, sorry about that :). At least the good news is they all have well
> documented licenses (apart from the one where you have to look in the
> README file).
>
> Tim
>

RE: [DISCUSS] Think twice before adding an npm dependency

[Tim Barham <Ti...@microsoft.com>]

> Now we are planning to add express as new npm dependency to cordova-cli,
> brining with it 43 npm packages for us to clear on the next release of our
> product.

Heh, sorry about that :). At least the good news is they all have well documented licenses (apart from the one where you have to look in the README file).

Tim

Re: [DISCUSS] Think twice before adding an npm dependency

[Carlos Santana <cs...@gmail.com>]

Sorry for all the typos, I blame Siri dictation taking ;-p

On Mon, Oct 5, 2015 at 9:47 PM Carlos Santana <cs...@gmail.com> wrote:

> Hi I wanted to share some insight about the experience we had when we try
> to include the cordova cli, plugins, and platform with our IBM product
> MobileFirst Platform Foundation (ealier know as Worklight).
>
> Version 7.1 that we released in Aug/2015, was the first time we shipped
> the cordova cli, and the nodejs related files with the product.
>
> One aspect of doing this was legal clearance, we didn't have any issues
> with the code author by the Cordova project, were we found we needed some
> assistance ws with the npm dependencies that cordova-cli, cordova-lib, and
> platforms depended on.
>
> I'm attaching the license info for all the packages we needed to clear by
> IBM legal team, this took time but was not that bad because only one
> package was red flagged.
>
> If someone is planning to re-distribute cordova then I hope it can benefit
> you.
>
> The reason that it took time is because some packages didn't have a a
> license easy to find, other didn't have a license, so legal team needed to
> contact package owner.
>
> Edna Morales was the one involved working with Edna, she did a great
> dealing with all no so fun legal requirements.
>
> Here is an example of some packages that was not clear about their
> license: commander 0.5.2; connect 1.8.5; and cookie-signature 0.0.1. But
> Edna figured it out that some were devDependencies, and others were MIT
>
> I wan to discuss some more at the F2F on how do we make it easier to ship
> cordova with a third party product, or if not shipping telling customer to
> go ahead to get cordova on their own and give them some type of confidence
> that cordova doesn't have any legal problems to download and install to
> later integrate our ibm product.
>
> One would assume that Cordova being under Apache, there should not be so
> many headches and so much legal work to re-distribute.
>
> With this I'm not saying that we never depend on 3rd party open source, or
> that don't refresh those dependencies. Some of the npm libraries that we
> use are good to depend on like 'q', 'shelljs', 'glob', 'npm', but others
> have a large dependency graph with questionable dependencies underneath
>
> Now we are planning to add express as new npm dependency to cordova-cli,
> brining with it 43 npm packages for us to clear on the next release of our
> product. Not complaining but want you to be aware that when you add one
> dependency you bring along all the dependency tree with it and the impact
> that this causes downstream.
>
> I'm writing this email with a positive tone to make project better, foster
> open source, and to bring in to perspective some items that some of you
> might already be aware and some other might not be aware.
>
> Sorry for the long email, but by know you should already know me well :-)
>
>