Dependency review fails with license errors on docusaurus transitive dependencies #1167
Description
Problem
The Dependency Review workflow fails on release-please PR #2256 (chore(main): release hve-core 3.2.1) with five license violations from docusaurus transitive dependencies.
Failing packages
| Package | Version | License expression | Root cause |
|---|---|---|---|
dompurify |
3.3.2 | Apache-2.0 OR GPL-1.0-only OR GPL-2.0-only OR MPL-2.0 OR MS-PL |
Compound SPDX with copyleft options; distributed license is permissive |
lunr-languages |
1.14.0 | MPL-1.1 |
Weak copyleft, acceptable for bundled documentation tooling |
path-is-inside |
1.0.2 | MIT AND WTFPL |
WTFPL not in global allow-list |
unicode-match-property-value-ecmascript |
2.2.1 | LicenseRef-scancode-unicode AND MIT |
Unicode license not in global allow-list |
unicode-property-aliases-ecmascript |
2.2.0 | LicenseRef-scancode-unicode AND MIT |
Unicode license not in global allow-list |
Failing run
- Workflow: Dependency Review
- Run: https://github.com/microsoft/hve-core/actions/runs/23367997642/job/67985856560
Fix
Expand allow-lists in .github/workflows/dependency-review.yml:
- Add
WTFPLandLicenseRef-scancode-unicodeto globalallow-licenses(permissive licenses). - Add
pkg:npm/dompurifyandpkg:npm/lunr-languagestoallow-dependencies-licenses(packages with compound SPDX expressions containing copyleft options where the distributed license is permissive).