Add automated dependency license checking #659
Description
Context
As part of an OSS license due diligence review, we found that this repository has no automated mechanism to verify that dependency licenses are acceptable. The restate server (Rust) and sdk-java repos already have automated license gates — this issue tracks adding the equivalent for the TypeScript SDK.
Recommended approach
Option A: license-checker (simplest)
Add a script to the root package.json:
{
"scripts": {
"check-licenses": "npx license-checker --onlyAllow 'MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC;0BSD;CC0-1.0;CC-BY-3.0;CC-BY-4.0;Unlicense;Python-2.0;BlueOak-1.0.0' --production"
}
}The --production flag limits checking to production deps only (dev deps like build tools don't ship).
Option B: allowed-licenses (pnpm-native)
allowed-licenses has native pnpm workspace support. Add a .allowed-licenses.json:
{
"licenses": [
"MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause",
"ISC", "0BSD", "CC0-1.0", "CC-BY-3.0", "CC-BY-4.0",
"Unlicense", "Python-2.0", "BlueOak-1.0.0"
],
"packages": {}
}Add CI step
Add a license check step to the existing test workflow (.github/workflows/test.yml) or a new dedicated workflow:
- name: Check dependency licenses
run: pnpm run check-licensesWhy this matters
This repository publishes multiple @restatedev/* npm packages. While Restate doesn't bundle transitive deps (npm resolves them at install time), ensuring the published dependency tree is free of strong copyleft licenses (GPL, AGPL, SSPL) protects both Restate and its users.
Current state (as of 2026-03-16)
All production dependencies are permissively licensed. Some dev-only dependencies have dual licenses with copyleft options (e.g., node-forge — BSD-3-Clause OR GPL-2.0, pulled in via optional wrangler peer dep), but these don't ship. This is purely a preventive measure.