chore: auto-generate LICENSE-3rdparty.csv file

[watson]

What does this PR do?

• Update LICENSE-3rdparty.csv with auto-generated version that doesn't include dev-dependencies, but does include sub-dependencies (which the manually maintained version didn't)
• Append a manually maintained list of vendored dependencies to the end of LICENSE-3rdparty.csv (similar to the manually maintained file rows in the old version of LICENSE-3rdparty.csv). Note that the row for the previously vendored profile.proto dependency has been removed in this PR, as the vendored dependency was apparently deleted long ago
• Update scripts/check_licenses.js to support new file format

To-do:

• Update scripts/check_licenses.js to work with this new format
• Fix issue in dd-license-attribution with root package incorrectly being named the repo url instead of the name from package.json (this should have been addressed by Extract Node.js root package metadata from package.json dd-license-attribution#120, but something isn't working as expected)
• Add CI step to update LICENSE-3rdparty.csv directly in a PR whos yarn.lock file is modified (otherwise this will block Dependabot PRs)
• Determine if scripts/check_licenses.js should also validate sub-dependencies
• Figure out (and fix) why running dd-license-attribution sometimes fails to fetch the copyright and adds a git+ prefix to the url
• Determine if dropping support for file in the old format is ok
• Either use a fine grained GITHUB_TOKEN with the permissions content-read and metadata-read and access to the internal repo openfeature-js-client (issue: it will expire after max 30 days) or alternatively look into open sourcing openfeature-js-client (preferable, if it doesn't contain any secrets)
• Wait for dd-trace-js-license-attribution-read policy to be made available (https://github.com/DataDog/.github/pull/77)

Motivation

With the recent addition of support for the dd-trace-js repo in https://github.com/DataDog/dd-license-attribution, we can now generate this file automatically. This comes with the following benefits:

• Allows us to include sub-dependencies in the LICENSE-3rdparty.csv file
• Allows us to always keep url, license and copyright columns up to date, even if they change after the dependency is first added

Additional Notes

The following command was used to generate the LICENSE-3rdparty.csv file:

dd-license-attribution generate-sbom-csv \
  --no-scancode-strategy \
  --no-github-sbom-strategy \
  https://github.com/datadog/dd-trace-js > LICENSE-3rdparty.csv

The following PRs to dd-license-attribution were prerequisites for this PR:

• Follow redirects for GitHub repositories dd-license-attribution#117
• Extract Node.js root package metadata from package.json dd-license-attribution#120
• Add Yarn package manager support to npm collection strategy dd-license-attribution#123
• Fix setting root package name for npm strategy dd-license-attribution#131

Note on testing

This workflow cannot be tested until it lands in master due to security constraints. The workflow uses pull_request_target instead of pull_request, which means it runs using the workflow definition from the base branch (master) rather than from the PR branch. This is necessary to satisfy the trust policy for the dd-octo-sts-action, which requires that the workflow run in the context of the protected master branch (ref: refs/heads/master, ref_protected: "true"). This security design prevents attackers from modifying the workflow in a malicious PR to exfiltrate the STS token. Once merged to master, the workflow will automatically run on all subsequent PRs that modify yarn.lock, and will check out and analyze the PR's code while maintaining the security guarantees of running the trusted workflow definition from master.

[watson]

• chore: auto-generate LICENSE-3rdparty.csv file #6968 👈 (View in Graphite)
• master

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

Overall package size

Self size: 13.42 MB
Deduped: 113.61 MB
No deduping: 128.63 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------| | @datadog/libdatadog | 0.7.0 | 35.02 MB | 35.02 MB | | @datadog/native-appsec | 10.3.0 | 20.73 MB | 20.74 MB | | @datadog/pprof | 5.12.0 | 11.19 MB | 11.57 MB | | @datadog/native-iast-taint-tracking | 4.1.0 | 9.01 MB | 9.02 MB | | @opentelemetry/resources | 1.30.1 | 557.67 kB | 7.71 MB | | @opentelemetry/core | 1.30.1 | 908.66 kB | 7.16 MB | | protobufjs | 7.5.4 | 2.95 MB | 5.83 MB | | @datadog/wasm-js-rewriter | 5.0.1 | 2.82 MB | 3.53 MB | | @datadog/native-metrics | 3.1.1 | 1.02 MB | 1.43 MB | | @opentelemetry/api-logs | 0.208.0 | 199.48 kB | 1.42 MB | | @opentelemetry/api | 1.9.0 | 1.22 MB | 1.22 MB | | jsonpath-plus | 10.3.0 | 617.18 kB | 1.08 MB | | import-in-the-middle | 1.15.0 | 127.66 kB | 856.24 kB | | lru-cache | 10.4.3 | 804.3 kB | 804.3 kB | | @datadog/openfeature-node-server | 0.2.0 | 118.51 kB | 437.19 kB | | opentracing | 0.14.7 | 194.81 kB | 194.81 kB | | source-map | 0.7.6 | 185.63 kB | 185.63 kB | | pprof-format | 2.2.1 | 163.06 kB | 163.06 kB | | @datadog/sketches-js | 2.1.1 | 109.9 kB | 109.9 kB | | @isaacs/ttlcache | 2.1.2 | 90.79 kB | 90.79 kB | | lodash.sortby | 4.7.0 | 75.76 kB | 75.76 kB | | ignore | 7.0.5 | 63.38 kB | 63.38 kB | | istanbul-lib-coverage | 3.2.2 | 34.37 kB | 34.37 kB | | rfdc | 1.4.1 | 27.15 kB | 27.15 kB | | dc-polyfill | 0.1.10 | 26.73 kB | 26.73 kB | | tlhunter-sorted-set | 0.1.0 | 24.94 kB | 24.94 kB | | shell-quote | 1.8.3 | 23.74 kB | 23.74 kB | | limiter | 1.1.5 | 23.17 kB | 23.17 kB | | retry | 0.13.1 | 18.85 kB | 18.85 kB | | semifies | 1.0.0 | 15.84 kB | 15.84 kB | | jest-docblock | 29.7.0 | 8.99 kB | 12.76 kB | | crypto-randomuuid | 1.0.0 | 11.18 kB | 11.18 kB | | ttl-set | 1.0.0 | 4.61 kB | 9.69 kB | | mutexify | 1.4.0 | 5.71 kB | 8.74 kB | | path-to-regexp | 0.1.12 | 6.6 kB | 6.6 kB | | module-details-from-path | 1.0.4 | 3.96 kB | 3.96 kB | | escape-string-regexp | 5.0.0 | 3.66 kB | 3.66 kB |

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.94%. Comparing base (25fa1e4) to head (630cc07).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #6968   +/-   ##
=======================================
  Coverage   84.94%   84.94%           
=======================================
  Files         514      514           
  Lines       21754    21754           
=======================================
  Hits        18478    18478           
  Misses       3276     3276           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-11-28 11:01:42

Comparing candidate commit 630cc07 in PR branch watson/auto-gen-license-csv with baseline commit 25fa1e4 in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 288 metrics, 32 unstable metrics.