Tighten dependency license policy

Boyeep · Boyeep · commit 4e73b1e334ec · 2026-03-22T02:32:18.000+07:00
diff --git a/.github/dependency-review-config.yml b/.github/dependency-review-config.yml
@@ -1,7 +1,23 @@
 # Keep the initial policy focused on risky dependency changes first.
-# If you want stricter license enforcement later, add allow-licenses here.
+# This allowlist is intentionally based on the licenses already present in the
+# current dependency tree so normal updates do not become noisy immediately.
 fail-on-severity: high
 fail-on-scopes:
   - runtime
   - unknown
 license-check: true
+allow-licenses:
+  - Apache-2.0
+  - Apache-2.0 AND LGPL-3.0-or-later
+  - Apache-2.0 OR BSD-2-Clause
+  - BSD-2-Clause
+  - BSD-3-Clause
+  - BlueOak-1.0.0
+  - CC-BY-4.0
+  - CC0-1.0
+  - ISC
+  - MIT
+  - MPL-2.0
+  - PSF-2.0
+  - Python-2.0
+  - 0BSD
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -97,6 +97,8 @@ That command writes generated reports into `reports/licenses/`.
 
 Dependency review also runs automatically on pull requests to catch newly introduced vulnerable dependency changes.
 
+That dependency review config also includes an allowlist for the licenses already present in the current dependency tree. If you intentionally add a dependency under a new acceptable license, update `.github/dependency-review-config.yml` in the same pull request.
+
 ## Changing the API Contract
 
 If you modify request or response shapes:
diff --git a/README.md b/README.md
@@ -127,6 +127,8 @@ Pull requests also run GitHub dependency review so new vulnerable dependency cha
 
 A separate GitHub workflow generates license-report artifacts for the root workspace, frontend workspace, and backend Python environment.
 
+The dependency-review config also keeps a conservative allowlist of licenses already present in the current dependency tree, so tightening policy does not start by breaking routine updates.
+
 ## Releases
 
 - Release Drafter keeps a draft release updated from merged pull requests on `main` and can auto-label incoming pull requests by path.
diff --git a/SECURITY.md b/SECURITY.md
@@ -34,6 +34,8 @@ The repository also uses automated scanning to help catch common security issues
 - GitHub dependency review on pull requests for newly introduced vulnerable dependency changes
 - GitHub license-report artifacts for npm and Python dependency inventories
 
+Dependency review is also configured with an allowlist that matches the current dependency tree, so changes that introduce new license types are surfaced deliberately instead of silently drifting in.
+
 Those checks do not replace private disclosure. If you believe a vulnerability is real or
 exploitable, please still report it through a private advisory.
 
diff --git a/backend/pyproject.toml b/backend/pyproject.toml
@@ -6,6 +6,7 @@ build-backend = "hatchling.build"
 name = "nextjs-python-computer-vision-kit-backend"
 version = "0.1.0"
 description = "FastAPI backend for the computer vision starter kit."
+license = "MIT"
 readme = "README.md"
 requires-python = ">=3.12"
 dependencies = [
diff --git a/frontend/package.json b/frontend/package.json
@@ -2,6 +2,7 @@
   "name": "frontend",
   "version": "0.1.0",
   "private": true,
+  "license": "MIT",
   "scripts": {
     "dev": "next dev",
     "build": "next build",
diff --git a/scripts/report-licenses.mjs b/scripts/report-licenses.mjs
@@ -48,50 +48,63 @@ function writeReport(filename, content) {
   writeFileSync(outputPath, normalized, "utf8");
 }
 
+function summarizeNpmLicenses(rawJson) {
+  const data = JSON.parse(rawJson);
+  const counts = new Map();
+
+  for (const item of Object.values(data)) {
+    const license = item.licenses ?? "UNKNOWN";
+    counts.set(license, (counts.get(license) ?? 0) + 1);
+  }
+
+  return [...counts.entries()]
+    .sort((left, right) => {
+      if (right[1] !== left[1]) {
+        return right[1] - left[1];
+      }
+
+      return left[0].localeCompare(right[0]);
+    })
+    .map(([license, count]) => `${count.toString().padStart(3, " ")}  ${license}`)
+    .join("\n");
+}
+
 const backendPython = resolvePythonCommand(backendDir);
 
 rmSync(reportDir, { recursive: true, force: true });
 mkdirSync(reportDir, { recursive: true });
 
-writeReport(
-  "root-npm.json",
-  runAndCapture(
-    "npx",
-    [
-      "--yes",
-      npmLicenseTool,
-      "--json",
-      "--relativeLicensePath",
-      "--relativeModulePath",
-    ],
-    root,
-  ),
+const rootNpmJson = runAndCapture(
+  "npx",
+  [
+    "--yes",
+    npmLicenseTool,
+    "--json",
+    "--excludePrivatePackages",
+    "--relativeLicensePath",
+    "--relativeModulePath",
+  ],
+  root,
 );
 
-writeReport(
-  "root-npm-summary.txt",
-  runAndCapture("npx", ["--yes", npmLicenseTool, "--summary"], root),
-);
+writeReport("root-npm.json", rootNpmJson);
+writeReport("root-npm-summary.txt", summarizeNpmLicenses(rootNpmJson));
 
-writeReport(
-  "frontend-npm.json",
-  runAndCapture(
-    "npx",
-    [
-      "--yes",
-      npmLicenseTool,
-      "--json",
-      "--relativeLicensePath",
-      "--relativeModulePath",
-    ],
-    frontendDir,
-  ),
+const frontendNpmJson = runAndCapture(
+  "npx",
+  [
+    "--yes",
+    npmLicenseTool,
+    "--json",
+    "--excludePrivatePackages",
+    "--relativeLicensePath",
+    "--relativeModulePath",
+  ],
+  frontendDir,
 );
 
-writeReport(
-  "frontend-npm-summary.txt",
-  runAndCapture("npx", ["--yes", npmLicenseTool, "--summary"], frontendDir),
-);
+writeReport("frontend-npm.json", frontendNpmJson);
+writeReport("frontend-npm-summary.txt", summarizeNpmLicenses(frontendNpmJson));
 
 writeReport(
   "backend-python.json",
