Dependency review CI fails due to lxml and typing-extensions license false positives

## Description

The `dependency-review.yml` workflow fails on PRs that add Python skill dependencies because the GitHub dependency review action mis-labels `lxml` and `typing-extensions` as GPL-licensed.

### Root Cause

Both packages use compound SPDX license expressions in their source distributions that the scanner interprets as GPL:

- **lxml** — Licensed under BSD-3-Clause. The scanner picks up GPL references from the bundled `libxml2`/`libxslt` build metadata.
- **typing-extensions** — Licensed under PSF-2.0. The scanner flags a GPL tag from the compound SPDX expression in the sdist.

Neither package is actually GPL-licensed.

### Expected Behavior

Dependency review should pass for PRs adding `lxml` or `typing-extensions` as dependencies.

### Fix

Add per-package license exemptions via `allow-dependencies-licenses` in `dependency-review.yml` for `pkg:pypi/lxml` (BSD-3-Clause) and `pkg:pypi/typing-extensions` (PSF-2.0). Also add missing license identifiers (`MIT-0`, `MIT-CMU`, `HPND`, `LicenseRef-scancode-secret-labs-2011`) to the global allow-list.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dependency review CI fails due to lxml and typing-extensions license false positives #1164

Description

Root Cause

Expected Behavior

Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Dependency review CI fails due to lxml and typing-extensions license false positives #1164

Description

Description

Root Cause

Expected Behavior

Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions