Dependency to package without license

[trew]

PR #4981 added a dependency to @josephg/resolvable, which does not have a license text as of version 1.0.0. For us, that basically means unlicensed and therefore we can't upgrade apollo-server-core to any version having this dependency (since 2.22.0).

Could this dependency be removed/changed?

[glasser]

Yikes, that's a good point.

Easiest thing will be to see if I can ask the author to license it. I can certainly write my own version of what is a very small dependency (in a careful "not copying the code" way of course) or switch to another similar package.

[glasser]

@trew Though — there's no standalone license file but the package.json does contain "license": "ISC". Is that not sufficient for your company's use case?

[glasser]

(Ah, I guess in this case that probably isn't good enough because the ISC license requires you to include the copyright notice.)

[glasser]

I filed josephg/resolvable#1

I'll set myself a reminder to look back into this in a week; if @josephg hasn't responded by then I'll find an alternative.

[trew]

Thanks! Best solution would obviously be if the package included the license file as it requires no code changes.

[josephg]

Oh oops - nice catch! I’ll add a license to the package.

[josephg]

I've fixed the issue in resolvable and republished 1.0.1 with a license file. Thanks for the poke!

[glasser]

Thanks @josephg!

@trew Is that adequate to fix your concerns, or do we need to actually put out a point release with an upgrade to 1.0.1 to help you?

[trew]

@glasser No need for a new apollo-server-core release! It would've been a problem if apollo-server-core had pinned the dependency, but since it's ^1.0.0 we will get the new version. Fast work, guys. 👍