Is it possible to exclude/filter out sub-dependencies?

[raymond....@replicon.com]

Hello, 

Is there a way to filter out or exclude sub-dependencies from license-finder results (ruby project).  Right now I'm just cross referencing by hand between the gemfile and the gemfile.lock, and removing any license that is a sub dependency but this is proving to be unsustainable. 

Eventually we want to track licenses for sub-dependencies, but for now, we're only concerning ourselves with managing direct dependencies that we've specifically and deliberately included in the project.

Thanks, 

Ray

[Mike Dalessio]

Hi Raymond,

Thanks for asking this question. Unfortunately, the answer is no.

License Finder was written with input from lawyers representing several large consulting and product corporations, and their opinion seems to be that it's not legally meaningful to track only a subset of dependencies. You may want to get your own legal advice on this aspect of your work.

-m

--
You received this message because you are subscribed to the Google Groups "license-finder" group.
To unsubscribe from this group and stop receiving emails from it, send an email to license-finder+unsubscribe@googlegroups.com.

[raymond....@replicon.com]

Hi Mike, 

thanks for that! You're right, the distinction probably isn't relevant ultimately. We're a relatively large SaaS product, but this is our first experience with a very large law firm wanting to track dependencies for OSS. 

Follow-Up Questions:

1) Can you recommend any resources on multi-platform dependency management at scale? So far I've found the following:

• https://nebula-plugins.github.io/videos/gradle_summit_2015_dthomas.html (talk on dependency management by a fellow from NetFlix)
  
• https://www.slideshare.net/nexB/managing-oss-git-hub-era (slideshare from nexB? on an outline of dependency management)

2) Is this project still active and seeking contributors? Seems awfully quiet, which I find surprising as we found this tool incredibly helpful...

To unsubscribe from this group and stop receiving emails from it, send an email to license-finde...@googlegroups.com.

[Kim Dykeman]

Hi Raymond,

Following-up on your questions:

1) I'm not sure if this is the type of thing you're looking for, but I've heard good things about Bazel, which takes the approach of requiring explicit declaration of dependencies - https://bazel.build/

2) The project is still active, albeit it does occasionally suffer from divided attention. There are a good number of package managers we'd like to add support for, and  a good number of feature requests. Contributions/Contributors are definitely welcome. Pull requests work best as merging can be gated on a successful run through CI.