feat(publish): Ensure published packages contain a LICENSE file

[honzajavorek]

This PR is my attempt to implement changes proposed in #1213 (comment)

Description

• I added several local functions and tested them all: createTempLicenses, getLicensePath, getPackagesWithoutLicense, removeTempLicenses, removeTempLicensesSync
• In initialize() I added some lines to determine situation:
  • figuring out whether the root package has a license or not
  • figuring out packages without license
  • if the root license is present and there are packages without license, those are saved for later
  • if the root license is not present and there are packages without license, there is only a warning - nothing else can be done
• In npmPublish() I added creating temporary license files and removing them to the chain
  • if the chain fails, there is synchronous removal of the files, possible error is only printed
  • the licenses are added before prepublish scripts and removed after postpublish - it sort of made sense to me and it was also easier to fit into the current flow - let me know if you think otherwise
• I added fs-extra as a dependency for the publish package
• I added description of the feature to the README. Please let me know if there are other docs to update.

Motivation and Context

Closes #1213

How Has This Been Tested?

• I wrote several tests for both local lib additions and the publish command itself
• I modified the npm-publish mock to record information about license files at the time of publishing. This caused several other tests to fail, as they were relying on the simpler, previous version of the mock's registry. I updated the tests and snapshots.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes.
• All new and existing tests passed.

[honzajavorek]

@evocateur I think this is ready for a review now.

[evocateur]

So I'm not sure this is lerna's responsibility? I mean, this sort of thing arguably belongs in a separate CLI, run once to copy licenses etc, or perhaps in a preversion lifecycle in order to validate that the licenses exist, and fail if necessary before lerna publish gets around to actually publishing. npm publish always includes LICENSE.md (and similar) when it finds them.

It is my understanding that the license field of package.json is also sufficient for this sort of thing? As long as it matches an SPDX identifier, it is not strictly necessary to include yet another copy+paste of the license text.

[honzajavorek]

@evocateur That sounds a bit like a turn-down, although in #1213 you seemed to agree with the idea and we even agreed on how this could be implemented. After investing quite some time into the PR, I'm a bit confused now. Do you suggest a different implementation approach or are we revisiting whether this should be a part of Lerna at all?

Almost every project using Lerna (and that's most of the projects utilizing monorepos, and that's a lot of packages in the npm ecosystem) is suffering an issue where the sub packages are not distributed with a full license text when the maintainers only provide the full license text file in the root of the monorepo. While the intention is clear (all the packages are licensed under the root license), the result is debatable. The distributions of packages published to npm are without the license text, thus more strict company lawyers could prohibit using such pacakges or deem them as problematic and requiring special treatment. That brings burden to those wanting to use such packages.

Without full license text, the sub packages are not properly licensed, even though the license field contains a valid SPDX identifier. Some licenses, such as MIT, even explicitly require packing the text together with the distribution, it's written in the text of the license: babel/babel#7308 (comment) Effectively, this way the source code of most Lerna-distributed packages on npm is unlicensed and cannot be used by anyone else (or, to be more precise, by anyone who cares about licensing).

npm does include the license file automatically in case it's present, so this problem wouldn't exist if the project were not monorepos. As Lerna is a tool to help maintainers to deal with specifics of having a monorepo, and especially with specifics of publishing the sub packages, I think this feature should be a core feature of the tool. Moreover, the behavior we discussed in the initial issue requires no additional work to the maintainers. It follows their intentions without having to care about anything, while it automatically solves the licensing problem for all the package users. Factoring the feature out to a separate tool doesn't solve the widespread issue as it requires the users of the packages to file issues on the projects they have problems to use, and it requires maintainers to make additional steps and to modify their project life cycle to accommodate the license distribution.

[evocateur]

@honzajavorek Thanks for the push back, I understand a lot better now, and completely agree. Sorry for the scattered skepticism, I've been punishingly busy the last few weeks. I will rebase your changes, since I caused the conflicts.

Thanks again for all your efforts!

[StrahilKazlachev]

Warnings tend to be ignored till it's too late.
Can there be an option to force a failure, --strict-licensing or something? Also being configurable through lerna.json would be great.

[evocateur]

@StrahilKazlachev Definitely, I think we can tackle that in a separate PR.

[honzajavorek]

@evocateur Thank you for maintaining Lerna despite the time constraints, for your initial guidance on how to implement this and for merging this! 🚀

[lock]

This thread has been automatically locked because there has not been any recent activity after it was closed. Please open a new issue for related bugs.