Replace cheerio? #1801
Comments
|
What about using the jQuery npm package itself, directly? |
|
@honzajavorek the jQuery npm package requires a DOM to work; the whole point of cheerio is that it doesn't. Since enzyme is a test framework, there shouldn't be any security issue, and since you're not redistributing it, there's unlikely to be any legal issue - with any of its dependencies. Specifically, while the lack of a proper SPDX identifier and/or a license file in a given dep is frustrating, it doesn't necessarily invalidate the intended license - it just delegates that decision to a court in the exceedingly unlikely event of a lawsuit, which would weigh the intent of the author. Cheerio got a v1 release in 2017; that activity has slowed is not the same as "abandoned". I'm not interested in replacing cheerio with anything else; we'd get rid of Re "no response", have you tried emailing them, or reaching out on twitter, or contacting their employer? I've successfully done all of those to get ahold of people that perhaps don't look at their github notifications and/or disable the notification emails. |
Not so important for this issue, but... A test framework is a program which the developer runs on their computer. Developer's computer is usually full of environment variables filled with access tokens, private keys, etc. Company's developer is often the best attack vector.
In my company lawyers' understanding of the world, if I'm building an Open Source product, then both its dependencies and the first level of dev dependencies are considered to be distribution.
Regarding court, I could repeat this comment airbnb/js-shims#8 (comment) I totally understand if replacing Cheerio is not a viable solution. I couldn't easily find a good replacement myself and there possibly even isn't any. I wanted to check first though - I couldn't know, sometimes projects consider transition to different solutions they're themselves aware of, and in that case I would learn by this issue and I could help with contributions to make it happen. I filed issues, PRs, I mentioned @fb55 multiple times, I couldn't find his Twitter, and I wrote an email. I checked all his repositories and they seem to be really abandoned to me, unlike Cheerio, which seems to be at least somewhat pulsating, as you pointed out. I guess I'm left with removing Enzyme from our stack and/or with waiting. I may try to contact his employers, but that feels a bit creepy to me. He, as an author of Open Source, has a full right to not to care, and I want to respect that. But in that case, the projects up the dependency chain should/could care and compensate. I admit it's really hard in this particular case. |
|
Dev deps count in terms of use, but transitive deps that you don’t distribute aren’t your concern. Obviously you have to respect what your lawyers tell you, but “some lawyers said so” isn’t the same thing as actual legal obligation. |
|
If Enzyme is my 1st level dependency, then everything Enzyme depends on
affects me transitively as it's still all dynamically linked. I mean all
Enzyme’s dependencies and their dependencies, not dev dependencies. To my
knowledge Cheerio & css-select are dependencies of Enzyme, not dev
dependencies.
…On Fri, 31 Aug 2018 at 21:28, Jordan Harband ***@***.***> wrote:
Dev deps count in terms of use, but transitive deps that you don’t
distribute aren’t your concern. Obviously you have to respect what your
lawyers tell you, but “some lawyers said so” isn’t the same thing as actual
legal obligation.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#1801 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AARTMY6r0XUb8mMmDGYwaOHMwRsbNsvnks5uWY55gaJpZM4WVMFH>
.
|
|
It's not linked at all, it doesn't ship with enzyme - you install it. and if you don't distribute it, even if it's unlicensed, you may still have the right to use it - that's the grey area. |
|
I recommend reading
https://medium.com/@vovabilonenko/licenses-of-npm-dependencies-bacaa00c8c65
or consulting your company lawyers. I’m clearly distributing the dev deps
e.g. when I use Travis CI.
…On Sat, 1 Sep 2018 at 00:28, Jordan Harband ***@***.***> wrote:
It's not linked at all, it doesn't ship with enzyme - you install it. and
if you don't distribute it, even if it's unlicensed, you may still have the
right to use it - that's the grey area.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#1801 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AARTMd5BJjyD6htaqHs7gvYz9T5tHUZuks5uWbiOgaJpZM4WVMFH>
.
|
|
I am in constant communication with my company's lawyers, which is why I'm confident in this interpretation. |
Is your feature request related to a problem? Please describe.
We're doing legal and security audits of our dependencies and so far one of the most problematic parts is the
cheerioproject and its dependencies. See following issues:In many cases, there is no response from @fb55 for a long time and the issues are quite important as technically, legally, nobody should be really using packages distributed without explicit license. A code without license is to be considered proprietary by default and using such code could be easily classified as theft. This makes it problematic to use
enzymein any company or by any individual who actually cares about licensing.Moreover, the
cheerioproject seems to be more or less abandoned:It seems to me @fb55's dependencies and the
cheerioproject act as a single point of failure in such a successful project asenzymeis. Even if you don't care about licensing, it's apparently naive to expect the dependencies will ever get updated, bugs fixed, etc.Describe the solution you'd like / Describe alternatives you've considered
Well it doesn't look like whacko was successful in forking
cheerio, as it's no longer maintained either. I'm really not sure what are the alternatives here, at least among forks I can't see anything in better condition. And evenwhackois still using thecss-selectlibrary, which is the biggest offender here 😢The text was updated successfully, but these errors were encountered: