Hi, We have 4 dependency packages being upgraded which are using extensive Dual licensing. I have recently updated my config file to accommodate the flagged license identifiers as well. Still we are getting "Invalid SPDX license" for all of them.
| Package |
Version |
License |
Issue Type |
| jmespath |
0.16.0 |
Apache-2.0 AND MIT |
Invalid SPDX License |
| pako |
1.0.11 |
MIT AND Zlib |
Invalid SPDX License |
| sprintf-js |
1.0.3 |
BSD-3-Clause AND BSD-3-Clause-Clear |
Invalid SPDX License |
| stream-buffers |
3.0.3 |
Unlicense |
Invalid SPDX License |
My dependency review workflow looks like this
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
config-file: 'security-config/dependency-review-config.yml'
My config file has these licenses already allowed:
Allowed Licenses:
- BSD-2-Clause
- BSD-3-Clause
- MIT
- Apache-2.0
- PSF-2.0
- ISC
- HPND
- CC0-1.0
- 0BSD
- PSF-2.0
- Python-2.0
- WTFPL
- LGPL-3.0
- Apache-2.0 and MIT
- MIT AND Zlib
- BSD-3-Clause AND BSD-3-Clause-Clear
- Unlicense
Additionally, I also checked the license identifiers using license-expression validator but it found no issues with any of the identifiers.
Please provide a prompt reason for the failure as the dependency review workflow is not helping us in resolving this at all.
Hi, We have 4 dependency packages being upgraded which are using extensive Dual licensing. I have recently updated my config file to accommodate the flagged license identifiers as well. Still we are getting "Invalid SPDX license" for all of them.
My dependency review workflow looks like this
My config file has these licenses already allowed:
Additionally, I also checked the license identifiers using license-expression validator but it found no issues with any of the identifiers.
Please provide a prompt reason for the failure as the dependency review workflow is not helping us in resolving this at all.