From 947b6da685b1d87270d75925c3ad65aa79628334 Mon Sep 17 00:00:00 2001 From: Igor Gentil Date: Fri, 22 May 2026 15:39:25 +1000 Subject: [PATCH] ci: allowlist typing-extensions in dependency-review Pre-emptive fix. typing-extensions@4.15.0 (transitive of pydantic via aws-sam-translator) declares a compound SPDX expression `Python-2.0 AND GPL-1.0-or-later AND ...` derived from historic CNRI Python license metadata. The package's actual License-Expression header is `PSF-2.0`; the GPL fragment is a metadata artefact, not a real licensing claim. The package is PSF-licensed and fully Apache-2.0-compatible. dependency-review evaluates AND expressions strictly: every component license must be in the allowlist. Adding GPL-1.0-or-later to the allowlist would be wrong (real GPL deps would slip through); allowlisting this specific package via PURL is the correct narrow fix. Caught in the sibling cfn-lint-cfn-handler repo when its bootstrap PR hit this on its first dependency-review run; same fix landed there as its first PR (igorlg/cfn-lint-cfn-handler PR #1, follow-up commit). --- .github/workflows/dependency-review.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index bea8ae0..68aa73e 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -34,3 +34,13 @@ jobs: CC0-1.0, Unlicense, 0BSD + # Vetted exceptions to the license allowlist: + # + # typing-extensions exposes a compound SPDX expression + # `Python-2.0 AND GPL-1.0-or-later AND ...` derived from the + # historic CNRI Python license metadata. The package's own + # License-Expression header is `PSF-2.0`. The GPL fragment is + # an artefact of legacy Python distribution, not a real + # licensing claim — typing-extensions is PSF-licensed and + # fully Apache-2.0-compatible. + allow-dependencies-licenses: 'pkg:pypi/typing-extensions'