Add support for defining an expiration to license approval policy exceptions

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Release notes

Problem to solve

As a follow-on to Exclude packages from Merge Request Approval Po... (&10203 - closed), we have a customer who has expressed interest in setting an expiration to an exception for licenses defined in a license approval policy.

Use cases

We want to block AGPL (or any restricted license) by default but allow specific exceptions for dependencies with dual licensing, where we’ve paid to use them under a non-AGPL license. These exceptions should:

1. Be configurable at a policy level using details like package name, version, and license type.

2. Include an expiry date to ensure the exception is reassessed, especially to confirm payment continuity.”

Intended users

User experience goal

Proposal

Allow users to define an expiry date on license exceptions defined in YAML
Add support to UI
Consider how policy creators may need to learn if policy exceptions expire (which may require a separate iteration)

Further details

Permissions and Security

Documentation

Availability & Testing

Available Tier

Feature Usage Metrics

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

What is the competitive advantage or differentiation for this feature?

Links / references

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited Aug 28, 2025 by 🤖 GitLab Bot 🤖