Hacker News new | ask | show | jobs
by jorams 925 days ago
If you add a dependency without understanding the license that dependency is released under, you should stop doing that. That counts for every license, and particularly if there is no license.
1 comments
shp0ngle 925 days ago
It goes transitively though.

Some popular go packages grab tens (sometimes over hundres, but not as much as in node world) dependencies.

NOBODY checks the license all the transitive dependencies in go world.

What should or should not happen is one thing, this is the reality

edit: oh but that lead me to google this

neat

https://github.com/google/go-licenses

link
Tomte 924 days ago
Yes, that's why (apart from the Cyber Resilience Act) license scanners and SBOMs are a thing.
link