[jonathanoliver]

One other area that can be complicated surrounding dependencies is licensing. Specifically, you use a library imported from PIP/NPM/Maven/NuGet/etc. and maybe, if you are a diligent dev, you review the license. If you're lucky it's MIT or some other compatible version for your use case. But did you review the dependencies of this new dependency? What about their licenses?

Okay, now fast forward a few years: is the open source dependency still [original license flavor] or is the license now more restrictive? What about the the updated dependencies of this single, imported dependency?

Now suppose you have an executable that's made available: do you properly have the accompanying license files that (on a minimum) give attribution?

Generally speaking, we import dependencies to help make things better and to get back to get focusing on the main portion of our application. At the same time, each imported dependency has an ongoing management factor.

...and don't get me started on the diamond dependency problem which still exists despite any given package manager's best efforts and is one of the reasons we have SemVer which we hope is followed by the developers of that dependency.

[twic]

Rather than reviewing any licenses, you should incorporate a license check in your build. I did this in a Gradle project recently, and it was pretty easy:

https://hg.sr.ht/~twic/lambda-property-matcher/rev/53ef7eb30...

[netr0ute]

Why make it so difficult? Just make your project AGPL and stop worrying about other OSS license compatibility.

[twic]

Because i'd like my software to be useful to normal people.

[klardotsh]

Because AGPL implies many things not all developers want associated with their project?

Yes, due to their virality, GPL-flavored licenses tend to be the "top type" that you can just cast the top-level project to and call it a day, but try convincing your corporate boss to AGPL your money-making product. That's gonna go about as well as is predictable.

[netr0ute]

Then that's not the company you want to work for.

[Thiez]

AGPL isn't even compatible with GPLv2, so you still have to worry about OSS license compatibility. So given that you have to worry anyway, you might as well pick a less obnoxious license.