is AGPL-3.0 license used here is intentional?

[MohsinQK]

Question
Is AGPL-3.0 license used intentionally here? because in some security scanning tools this is reported as a critical issue, but as other TYPO3 extensions use Other license type which have no issue with security scanners, I have attached a screenshot for more detail.

Additional information

[CybotTM]

Yes, it is.

What's the issue exactly?

There should be no issues with it, it is easy to comply. Use it freely, if you make modifications, share them (PR). That's all.

[MohsinQK]

So this is a false positive from the security scanner? because I have this extension installed only in my project, without any modifications.
I flagged this because Scanner found all other extensions fine except this one.

[CybotTM]

Thanks for the question — and yes, this is expected.

✅ The AGPL-3.0 license is intentional

This extension is published under the GNU Affero General Public License v3.0 (AGPL-3.0) by design.
Some compliance or security scanners flag AGPL as “critical”, but that is a licensing/policy classification, not a security vulnerability.

---

What does this mean in practice?

1. Using the extension as-is is fine

If you use this extension unmodified, you can include and run it like any other standard open-source dependency.

There is no obligation to publish your own application code just because you use it.

---

2. Obligations only apply if you modify the extension itself

The AGPL requirements are triggered if you:

• change the extension code, and
• deploy/distribute that modified version (including providing it as part of a hosted service)

In that case, you are simply required to make the modifications to this extension available under the same license.

This does not mean you must open-source your entire TYPO3 project.

---

3. Sharing modifications is straightforward

In practice, compliance is usually as simple as:

• contributing your changes back via a Pull Request, or
• providing the modified source code alongside your deployment

That’s all.

---

Why do scanners call this “critical”?

Many scanners treat strong copyleft licenses (AGPL/GPL) as “high risk” because of potential legal obligations — not because of technical issues.

So this should be handled as a legal/compliance decision, not a security defect.

---

Will the license change?

No — we currently have no plans to relicense this extension under a more permissive license.

If your organization cannot use AGPL-licensed components due to internal policy, you will need to choose an alternative solution.