License cleanup: remove controllable LGPL transitive paths and refresh NOTICE#6434
Open
bobsummerwill wants to merge 4 commits intostrato-net:developfrom
Open
License cleanup: remove controllable LGPL transitive paths and refresh NOTICE#6434bobsummerwill wants to merge 4 commits intostrato-net:developfrom
bobsummerwill wants to merge 4 commits intostrato-net:developfrom
Conversation
Record analysis outcome for mercata/ui dependency chain (@base-org/account -> @coinbase/cdp-sdk -> @solana/web3.js -> rpc-websockets) and link to upstream issue coinbase/cdp-sdk#620 for migration tracking.
…h NOTICE Analysis summary: - Re-assessed Apache-only compatibility appendix in NOTICE against current lockfiles after dependency cleanup. - Confirmed mercata/ethereum no longer needs @nomicfoundation/hardhat-toolbox aggregate for active workflows (compile/deploy/verify/scan). - Replaced toolbox with explicit plugins used by the project: @nomicfoundation/hardhat-ethers, @nomicfoundation/hardhat-verify, and ethers; retained @openzeppelin/hardhat-upgrades. - Regenerated mercata/ethereum/package-lock.json via npm install and verified compile succeeds with the new plugin set. License/compliance impact: - Removed solidity-coverage -> web3-utils (LGPL-3.0) transitive path from mercata/ethereum lockfile. - Updated NOTICE to remove stale solidity-coverage and web3-utils package notices and removed obsolete Appendix item for that path. - Refreshed remaining NOTICE appendix evidence line references and priority list for currently present risks (rapidsnark, rpc-websockets via CDP/Solana path, and sharp/libvips optional path). - Preserved upstream tracking note for Coinbase CDP SDK migration issue: coinbase/cdp-sdk#620
…h NOTICE Analysis and actions: - Confirmed sharp/libvips LGPL path in mercata/ui was introduced transitively via next optional dependency on sharp. - Verified mercata/ui is Vite-driven and does not require Next runtime for current build workflow. - Removed next from mercata/ui/package.json and regenerated package-lock.json. - Revalidated dependency graph: sharp and @img/sharp* (including sharp-libvips LGPL packages) are no longer present in lockfiles. NOTICE updates: - Removed obsolete package notices for sharp and @img/sharp* entries. - Removed obsolete audit appendix item for sharp/libvips path. - Refreshed rpc-websockets evidence line references after lockfile changes. - Updated rpc-websockets recommendation to reflect current action: track Coinbase CDP SDK upstream migration (issue strato-net#620). - Reordered priority list per current policy (rapidsnark first, Coinbase migration second).
Update license audit appendix refresh date to 2026-03-05 and add current-scope note reflecting latest dependency cleanup (two remaining high-risk items: rapidsnark and rpc-websockets path).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR delivers a focused license/compliance cleanup across
mercata/ui,mercata/ethereum, andNOTICE.It removes obsolete LGPL transitive paths we can control today, keeps tracking for the upstream Coinbase/Solana path we cannot yet remove, and refreshes the
WORK IN PROGRESSaudit appendix to current state.What Changed
1)
mercata/ethereum: removeweb3-utilsLGPL path via toolbox aggregate@nomicfoundation/hardhat-toolboxfromdevDependencies.@nomicfoundation/hardhat-ethers@nomicfoundation/hardhat-verifyethershardhat.config.jsplugin imports accordingly.mercata/ethereum/package-lock.json.Impact:
solidity-coverage -> web3-utils (LGPL-3.0)transitive path.2)
mercata/ui: removesharp/libvipsoptional LGPL pathnextfrommercata/ui/package.json(UI is Vite-based; Next runtime not used in active scripts/workflow).mercata/ui/package-lock.json.Impact:
sharpand@img/sharp-libvips-*optional packages from lockfile.3)
NOTICE: extensive refresh and de-stalingsolidity-coverageandweb3-utilspackage notices after ethereum cleanup.sharp/@img/sharp*package notices after UI cleanup.Remaining High-Risk Items (post-cleanup)
As reflected in
NOTICEWIP appendix:strato/libs/groth16-rapidsnark/vendor/rapidsnark(LGPL-3.0)mercata/uirpc-websockets(LGPL-3.0-only) via@base-org/account -> @coinbase/cdp-sdk -> @solana/web3.jsVerification Performed
mercata/ethereum:npm run compilesucceeds with explicit plugin set.mercata/ui:npm run buildsucceeds after removingnext.solidity-coverage/web3-utilsinmercata/ethereum/package-lock.json.sharp/@img/sharp*inmercata/ui/package-lock.json.Files Changed
NOTICEmercata/ethereum/package.jsonmercata/ethereum/hardhat.config.jsmercata/ethereum/package-lock.jsonmercata/ui/package.jsonmercata/ui/package-lock.json