ci: allowlist typing-extensions in dependency-review#23
Merged
Conversation
Pre-emptive fix. typing-extensions@4.15.0 (transitive of pydantic via aws-sam-translator) declares a compound SPDX expression `Python-2.0 AND GPL-1.0-or-later AND ...` derived from historic CNRI Python license metadata. The package's actual License-Expression header is `PSF-2.0`; the GPL fragment is a metadata artefact, not a real licensing claim. The package is PSF-licensed and fully Apache-2.0-compatible. dependency-review evaluates AND expressions strictly: every component license must be in the allowlist. Adding GPL-1.0-or-later to the allowlist would be wrong (real GPL deps would slip through); allowlisting this specific package via PURL is the correct narrow fix. Caught in the sibling cfn-lint-cfn-handler repo when its bootstrap PR hit this on its first dependency-review run; same fix landed there as its first PR (igorlg/cfn-lint-cfn-handler PR #1, follow-up commit).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pre-emptive fix, copied from the sibling
cfn-lint-cfn-handlerwhere it surfaced on the first PR's dependency-review run.
Why
typing-extensions@4.15.0declares a compound SPDX expressionPython-2.0 AND GPL-1.0-or-later AND Python-2.0 AND BSD-3-Clause AND Python-2.0 AND BSD-3-Clause AND 0BSDderived from historic CNRIPython license metadata. Its actual
License-Expressionheader isPSF-2.0. The GPL fragment is a metadata artefact, not a reallicensing claim — typing-extensions is PSF-licensed and fully
Apache-2.0-compatible.
dependency-review-actionevaluatesANDexpressions strictly:every component license must be in the allowlist. Adding
GPL-1.0-or-laterto the allowlist would be wrong (real GPL depswould slip through); allowlisting this specific package via PURL is
the correct narrow fix.
When it would surface here
typing-extensionsis a transitive ofpydanticviaaws-sam-translatorviacfn-lint. Today's CI passes only becausethe dependency-review action evaluates the delta between PR base
and head; on existing PRs the package is already on
mainso it'snot flagged. Any future PR that touches the lockfile in a way that
re-introduces
typing-extensions(e.g. a major bump that drops thenre-adds it transitively, or an
uv lock --upgraderebuild) wouldhit this.
What
Single-line addition:
allow-dependencies-licenses: 'pkg:pypi/typing-extensions'.