cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carlos Santana <>
Subject [DISCUSS] Think twice before adding an npm dependency
Date Tue, 06 Oct 2015 01:47:01 GMT
Hi I wanted to share some insight about the experience we had when we try
to include the cordova cli, plugins, and platform with our IBM product
MobileFirst Platform Foundation (ealier know as Worklight).

Version 7.1 that we released in Aug/2015, was the first time we shipped the
cordova cli, and the nodejs related files with the product.

One aspect of doing this was legal clearance, we didn't have any issues
with the code author by the Cordova project, were we found we needed some
assistance ws with the npm dependencies that cordova-cli, cordova-lib, and
platforms depended on.

I'm attaching the license info for all the packages we needed to clear by
IBM legal team, this took time but was not that bad because only one
package was red flagged.

If someone is planning to re-distribute cordova then I hope it can benefit

The reason that it took time is because some packages didn't have a a
license easy to find, other didn't have a license, so legal team needed to
contact package owner.

Edna Morales was the one involved working with Edna, she did a great
dealing with all no so fun legal requirements.

Here is an example of some packages that was not clear about their license:
commander 0.5.2; connect 1.8.5; and cookie-signature 0.0.1. But Edna
figured it out that some were devDependencies, and others were MIT

I wan to discuss some more at the F2F on how do we make it easier to ship
cordova with a third party product, or if not shipping telling customer to
go ahead to get cordova on their own and give them some type of confidence
that cordova doesn't have any legal problems to download and install to
later integrate our ibm product.

One would assume that Cordova being under Apache, there should not be so
many headches and so much legal work to re-distribute.

With this I'm not saying that we never depend on 3rd party open source, or
that don't refresh those dependencies. Some of the npm libraries that we
use are good to depend on like 'q', 'shelljs', 'glob', 'npm', but others
have a large dependency graph with questionable dependencies underneath

Now we are planning to add express as new npm dependency to cordova-cli,
brining with it 43 npm packages for us to clear on the next release of our
product. Not complaining but want you to be aware that when you add one
dependency you bring along all the dependency tree with it and the impact
that this causes downstream.

I'm writing this email with a positive tone to make project better, foster
open source, and to bring in to perspective some items that some of you
might already be aware and some other might not be aware.

Sorry for the long email, but by know you should already know me well :-)

View raw message