deny-licenses mistakenly blocking LGPL-3.0 license #635

logan-porelle · 2023-12-06T17:17:06Z

Summary:

When I list LGPL-2.0,LGPLLR as my deny-license list and have PyGitHub==2.1.1 as a third party in my requirements.txt file then the dependency-review action blocks the pull request as a incompatible issue. The problem is that PyGitHub is a LGPL-3.0, not LGPL-2.0 license.

Replicate:

Have dependency-review-action setup like below:

name: 'Dependency Review'
on: [pull_request]

permissions:
  contents: read
  pull-requests: write

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v3.1.4
        with:
          comment-summary-in-pr: true
          deny-licenses: LGPL-2.0,LGPLLR

Open a pull request with a requirements.txt listing PyGithub==2.1.1
Check PR dependency-review-action failure.

Sample Output:

The text was updated successfully, but these errors were encountered:

jonjanego added the bug Something isn't working label Jan 31, 2024

febuiles linked a pull request Mar 22, 2024 that will close this issue

Update SPDX Expression Parsing #719

Open

febuiles self-assigned this Mar 22, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

deny-licenses mistakenly blocking LGPL-3.0 license #635

deny-licenses mistakenly blocking LGPL-3.0 license #635

logan-porelle commented Dec 6, 2023

deny-licenses mistakenly blocking LGPL-3.0 license #635

deny-licenses mistakenly blocking LGPL-3.0 license #635

Comments

logan-porelle commented Dec 6, 2023

Summary:

Replicate:

Sample Output: