License Compliance and API Terms of Use/Service for NPM and YARN in the context of Dependency Scanning
As described in the issue #207829 (closed), we are planning to integrate npm and yarn audit (which leverages the npm API) into the gemnasium analyzer.
NPM is offering security advisories through https://www.npmjs.com/advisories. There are three different ways to access NPM's advisory data:
- through the Website
- through the NPM API
- through the NPM command line tool (
npm audit
) which uses the NPM API internally — https://github.com/npm/cli
NPM's Terms of Use explicitly prohibits the automated downloads (web crawling) of data from the Website (https://www.npmjs.com/policies/open-source-terms, Acceptable Use, 9.)
You will not automate access to, use, or monitor the Website, such as with a web crawler, browser plug-in or add-on, or other computer program that is not a web browser. You may replicate data from the Public Registry using the Public APIs per this Agreement.
In their 'Crawler Policy’ (https://www.npmjs.com/policies/crawlers) they also state that:
npm's full public dataset is available via the public registry. ... it is acceptable within our terms of use to download copies of tarballs for inspection or experimentation.
In the issue #207829 (closed), we are discussing the integration of the NPM command line tool into the GitLab dependency scanner gemnasium
. Before we can actually integrate this, we have two question regarding license compliance and API usage:
1. License Compliance
The NPM command line tool is licensed under the Artistic License 2.0
(https://github.com/npm/cli/blob/latest/LICENSE). The Artistic License 2.0
is a permissive license and seems to be similar to the MIT License but it is not yet mentioned in the list of acceptable licenses in the GitLab Handbook page (https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/development/licensing.md). I suppose a license is considered as acceptable if it is compatible with the GitLab Enterprise Edition (EE) license
(https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/master/LICENSE).
We prepared an MR to add the Artistic License 2.0 to the set of acceptable licenses. This can be merged once we are have legal clarity whether or not the Artistic License 2.0 can be considered as "acceptable".
For yarn, the situation is more clear as it is licensed under BSD 2-Clause License which is already considered to be acceptable.
2. API Usage
Before integrating npm audit
as-is into a dependency scanning product, we want to be sure that there are no legal pitfalls with regards to the NPM API usage. After its integration, npm audit
would be executed in an automated fashion as part of CI/CD pipeline for all NPM projects on GitLab for which the Dependency Scanning Feature is activated. Could you verify whether or not the integration of npm audit
would be on par with NPM’s Terms of Use (https://www.npmjs.com/policies)?