Replace css-select?

[honzajavorek]

We're doing legal and security audits of our dependencies and so far one of the most problematic parts is the css-select project and its dependencies. See following issues:

• NPM package does not match this github source repository fb55/domelementtype#8
• The latest released package doesn't contain a license fb55/boolbase#3
• License file missing in npm package fb55/nth-check#4
• Cannot publish NPM WebJar due to invalid license fb55/entities#27
• Use a specific SPDX identifier for the license fb55/css-what#24
• Use a specific SPDX identifier for the license fb55/css-select#112

In many cases, there is no response from @fb55 for a long time and the issues are quite important as technically, legally, nobody should be really using packages distributed without explicit license. A code without license is to be considered proprietary by default and using such code could be easily classified as theft. This makes it problematic to use RenderKid in any company or by any individual who actually cares about licensing.

Moreover, the css-select project seems to be more or less abandoned. It seems to me @fb55's dependencies and the css-select project act as a single point of failure in your project. Even if you don't care about licensing, it's apparently naive to expect the dependencies will ever get updated, bugs fixed, etc.

[AriaMinaei]

Agreed, this is important. I'm looking for a replacement now.

[AriaMinaei]

This turned out to be more surgical than I anticipated. It'll take more than the time I have on my hand.

Now, since the mentioned packages are quite stable, the only reason we have for replacing them is the licensing issue. Thankfully, the author has selected an open-source license for each repo. It's only the published npm content that doesn't have a license clause. So, one way to move forward would be to just fork all of these packages and re-publish them while preserving their original repository license.

What do you think @honzajavorek?

[char0n]

@AriaMinaei yes that is certainly a viable solution. We did our research yesterday too and I can confirm all the repos contains valid licenses. Although author decided to remove "Software" word from the license files and replaced it with "this". But that is for lawyers to decide if this is still valid license. If we just republish all these packages with patch version update it could fix the licensing issues. I don't think we will be able to get access to authors original npm registry so either we will fix all package.json files to point to our new npm packages or we can use npm-shrinkwrap file to controll what gets installed from where during RenderKid installation.

There is still long term problem, that we're using 6 years old code that is not maintained anymore. (but I can live with that for now).

[char0n]

Better later then never ;]