From ee2f7627fe2a8ed5e2c87765f1b62b7518b4067c Mon Sep 17 00:00:00 2001 From: Michael Garvin Date: Thu, 19 Feb 2026 09:11:26 -0800 Subject: [PATCH] deps: @npmcli/package-json@7.0.5 --- DEPENDENCIES.md | 2 +- .../@npmcli/package-json/lib/license.js | 27 +++++++++++++++++++ .../package-json/lib/normalize-data.js | 4 +-- .../@npmcli/package-json/package.json | 8 +++--- package-lock.json | 10 +++---- package.json | 2 +- 6 files changed, 40 insertions(+), 13 deletions(-) create mode 100644 node_modules/@npmcli/package-json/lib/license.js diff --git a/DEPENDENCIES.md b/DEPENDENCIES.md index d01a61ae25bf5..44659b306a727 100644 --- a/DEPENDENCIES.md +++ b/DEPENDENCIES.md @@ -635,7 +635,7 @@ graph LR; npmcli-package-json-->npmcli-git["@npmcli/git"]; npmcli-package-json-->proc-log; npmcli-package-json-->semver; - npmcli-package-json-->validate-npm-package-license; + npmcli-package-json-->spdx-expression-parse; npmcli-promise-spawn-->which; npmcli-query-->postcss-selector-parser; npmcli-run-script-->node-gyp; diff --git a/node_modules/@npmcli/package-json/lib/license.js b/node_modules/@npmcli/package-json/lib/license.js new file mode 100644 index 0000000000000..6428e83730550 --- /dev/null +++ b/node_modules/@npmcli/package-json/lib/license.js @@ -0,0 +1,27 @@ +// This is an implementation of the validForNewPackage flag in validate-npm-package-license, which is no longer maintained + +const parse = require('spdx-expression-parse') + +function usesLicenseRef (ast) { + if (Object.hasOwn(ast, 'license')) { + return ast.license.startsWith('LicenseRef') || ast.license.startsWith('DocumentRef') + } else { + return usesLicenseRef(ast.left) || usesLicenseRef(ast.right) + } +} + +// license should be a valid SPDX license expression (without "LicenseRef"), "UNLICENSED", or "SEE LICENSE IN " +module.exports = function licenseValidForNewPackage (argument) { + if (argument === 'UNLICENSED' || argument === 'UNLICENCED') { + return true + } + if (/^SEE LICEN[CS]E IN ./.test(argument)) { + return true + } + try { + const ast = parse(argument) + return !usesLicenseRef(ast) + } catch { + return false + } +} diff --git a/node_modules/@npmcli/package-json/lib/normalize-data.js b/node_modules/@npmcli/package-json/lib/normalize-data.js index 1c1a36984c5e9..7bd86b5f5bb64 100644 --- a/node_modules/@npmcli/package-json/lib/normalize-data.js +++ b/node_modules/@npmcli/package-json/lib/normalize-data.js @@ -2,7 +2,7 @@ const { URL } = require('node:url') const hostedGitInfo = require('hosted-git-info') -const validateLicense = require('validate-npm-package-license') +const validateLicense = require('./license.js') const typos = { dependancies: 'dependencies', @@ -230,7 +230,7 @@ function normalizeData (data, changes) { changes?.push('No license field.') } else if (typeof (license) !== 'string' || license.length < 1 || license.trim() === '') { changes?.push('license should be a valid SPDX license expression') - } else if (!validateLicense(license).validForNewPackages) { + } else if (!validateLicense(license)) { changes?.push('license should be a valid SPDX license expression') } // fixPeople diff --git a/node_modules/@npmcli/package-json/package.json b/node_modules/@npmcli/package-json/package.json index 31aa68a6654dc..fe46d77edcb4d 100644 --- a/node_modules/@npmcli/package-json/package.json +++ b/node_modules/@npmcli/package-json/package.json @@ -1,6 +1,6 @@ { "name": "@npmcli/package-json", - "version": "7.0.4", + "version": "7.0.5", "description": "Programmatic API to update package.json", "keywords": [ "npm", @@ -35,11 +35,11 @@ "json-parse-even-better-errors": "^5.0.0", "proc-log": "^6.0.0", "semver": "^7.5.3", - "validate-npm-package-license": "^3.0.4" + "spdx-expression-parse": "^4.0.0" }, "devDependencies": { "@npmcli/eslint-config": "^6.0.0", - "@npmcli/template-oss": "4.28.0", + "@npmcli/template-oss": "4.28.1", "tap": "^16.0.1" }, "engines": { @@ -47,7 +47,7 @@ }, "templateOSS": { "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", - "version": "4.28.0", + "version": "4.28.1", "publish": "true" }, "tap": { diff --git a/package-lock.json b/package-lock.json index d0a676f332f50..6664e93adef6e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -89,7 +89,7 @@ "@npmcli/fs": "^5.0.0", "@npmcli/map-workspaces": "^5.0.3", "@npmcli/metavuln-calculator": "^9.0.3", - "@npmcli/package-json": "^7.0.4", + "@npmcli/package-json": "^7.0.5", "@npmcli/promise-spawn": "^9.0.1", "@npmcli/redact": "^4.0.0", "@npmcli/run-script": "^10.0.3", @@ -1838,9 +1838,9 @@ } }, "node_modules/@npmcli/package-json": { - "version": "7.0.4", - "resolved": "https://registry.npmjs.org/@npmcli/package-json/-/package-json-7.0.4.tgz", - "integrity": "sha512-0wInJG3j/K40OJt/33ax47WfWMzZTm6OQxB9cDhTt5huCP2a9g2GnlsxmfN+PulItNPIpPrZ+kfwwUil7eHcZQ==", + "version": "7.0.5", + "resolved": "https://registry.npmjs.org/@npmcli/package-json/-/package-json-7.0.5.tgz", + "integrity": "sha512-iVuTlG3ORq2iaVa1IWUxAO/jIp77tUKBhoMjuzYW2kL4MLN1bi/ofqkZ7D7OOwh8coAx1/S2ge0rMdGv8sLSOQ==", "inBundle": true, "license": "ISC", "dependencies": { @@ -1850,7 +1850,7 @@ "json-parse-even-better-errors": "^5.0.0", "proc-log": "^6.0.0", "semver": "^7.5.3", - "validate-npm-package-license": "^3.0.4" + "spdx-expression-parse": "^4.0.0" }, "engines": { "node": "^20.17.0 || >=22.9.0" diff --git a/package.json b/package.json index 7d952997281db..ebf4709de316a 100644 --- a/package.json +++ b/package.json @@ -57,7 +57,7 @@ "@npmcli/fs": "^5.0.0", "@npmcli/map-workspaces": "^5.0.3", "@npmcli/metavuln-calculator": "^9.0.3", - "@npmcli/package-json": "^7.0.4", + "@npmcli/package-json": "^7.0.5", "@npmcli/promise-spawn": "^9.0.1", "@npmcli/redact": "^4.0.0", "@npmcli/run-script": "^10.0.3",