cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carlos Santana <>
Subject Re: [DISCUSS] Think twice before adding an npm dependency
Date Tue, 06 Oct 2015 02:00:59 GMT
Sorry for all the typos, I blame Siri dictation taking ;-p

On Mon, Oct 5, 2015 at 9:47 PM Carlos Santana <> wrote:

> Hi I wanted to share some insight about the experience we had when we try
> to include the cordova cli, plugins, and platform with our IBM product
> MobileFirst Platform Foundation (ealier know as Worklight).
> Version 7.1 that we released in Aug/2015, was the first time we shipped
> the cordova cli, and the nodejs related files with the product.
> One aspect of doing this was legal clearance, we didn't have any issues
> with the code author by the Cordova project, were we found we needed some
> assistance ws with the npm dependencies that cordova-cli, cordova-lib, and
> platforms depended on.
> I'm attaching the license info for all the packages we needed to clear by
> IBM legal team, this took time but was not that bad because only one
> package was red flagged.
> If someone is planning to re-distribute cordova then I hope it can benefit
> you.
> The reason that it took time is because some packages didn't have a a
> license easy to find, other didn't have a license, so legal team needed to
> contact package owner.
> Edna Morales was the one involved working with Edna, she did a great
> dealing with all no so fun legal requirements.
> Here is an example of some packages that was not clear about their
> license: commander 0.5.2; connect 1.8.5; and cookie-signature 0.0.1. But
> Edna figured it out that some were devDependencies, and others were MIT
> I wan to discuss some more at the F2F on how do we make it easier to ship
> cordova with a third party product, or if not shipping telling customer to
> go ahead to get cordova on their own and give them some type of confidence
> that cordova doesn't have any legal problems to download and install to
> later integrate our ibm product.
> One would assume that Cordova being under Apache, there should not be so
> many headches and so much legal work to re-distribute.
> With this I'm not saying that we never depend on 3rd party open source, or
> that don't refresh those dependencies. Some of the npm libraries that we
> use are good to depend on like 'q', 'shelljs', 'glob', 'npm', but others
> have a large dependency graph with questionable dependencies underneath
> Now we are planning to add express as new npm dependency to cordova-cli,
> brining with it 43 npm packages for us to clear on the next release of our
> product. Not complaining but want you to be aware that when you add one
> dependency you bring along all the dependency tree with it and the impact
> that this causes downstream.
> I'm writing this email with a positive tone to make project better, foster
> open source, and to bring in to perspective some items that some of you
> might already be aware and some other might not be aware.
> Sorry for the long email, but by know you should already know me well :-)

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message