From ed4c3aef758969c30f7487a22c6d0384f422a17f Mon Sep 17 00:00:00 2001 From: Thomas Watson Date: Sat, 22 Nov 2025 11:43:45 +0100 Subject: [PATCH 1/6] chore: auto-generate `LICENSE-3rdparty.csv` file The file was previously maintained manually, which could easily lead to errors as the only thing validated was that the expected packages were referenced, not that the url, license or copyright information was correct. With the recent addition of support for the `dd-trace-js` repo in https://github.com/DataDog/dd-license-attribution, we can now generate this file automatically. --- LICENSE-3rdparty.csv | 161 ++++++++++++++++++++----------------------- 1 file changed, 73 insertions(+), 88 deletions(-) diff --git a/LICENSE-3rdparty.csv b/LICENSE-3rdparty.csv index 4e252f726f1..00b829f8bb2 100644 --- a/LICENSE-3rdparty.csv +++ b/LICENSE-3rdparty.csv @@ -1,88 +1,73 @@ -Component,Origin,License,Copyright -require,@datadog/libdatadog,Apache license 2.0,Copyright 2024 Datadog Inc. -require,@datadog/native-appsec,Apache license 2.0,Copyright 2018 Datadog Inc. -require,@datadog/native-metrics,Apache license 2.0,Copyright 2018 Datadog Inc. -require,@datadog/native-iast-taint-tracking,Apache license 2.0,Copyright 2018 Datadog Inc. -require,@datadog/openfeature-node-server,Apache license 2.0,Copyright 2024 Datadog Inc. -require,@datadog/pprof,Apache license 2.0,Copyright 2019 Google Inc. -require,@datadog/sketches-js,Apache license 2.0,Copyright 2020 Datadog Inc. -require,@datadog/wasm-js-rewriter,Apache license 2.0,Copyright 2018 Datadog Inc. -require,@opentelemetry/api,Apache license 2.0,Copyright OpenTelemetry Authors -require,@opentelemetry/api-logs,Apache license 2.0,Copyright OpenTelemetry Authors -require,@opentelemetry/core,Apache license 2.0,Copyright OpenTelemetry Authors -require,@opentelemetry/resources,Apache license 2.0,Copyright OpenTelemetry Authors -require,@isaacs/ttlcache,Blue Oak,Copyright Isaac Z. Schlueter and Contributors -require,crypto-randomuuid,MIT,Copyright 2021 Node.js Foundation and contributors -require,dc-polyfill,MIT,Copyright 2023 Datadog Inc. -require,escape-string-regexp,MIT,Copyright Sindre Sorhus -require,ignore,MIT,Copyright 2013 Kael Zhang and contributors -require,import-in-the-middle,Apache license 2.0,Copyright 2021 Datadog Inc. -require,istanbul-lib-coverage,BSD-3-Clause,Copyright 2012-2015 Yahoo! Inc. -require,jest-docblock,MIT,Copyright Meta Platforms, Inc. and affiliates. -require,jsonpath-plus,MIT,Copyright (c) 2011-2019 Stefan Goessner, Subbu Allamaraju, Mike Brevoort, Robert Krahn, Brett Zamir, Richard Schneider -require,limiter,MIT,Copyright 2011 John Hurliman -require,lodash.sortby,MIT,Copyright JS Foundation and other contributors -require,lru-cache,ISC,Copyright (c) 2010-2022 Isaac Z. Schlueter and Contributors -require,module-details-from-path,MIT,Copyright 2016 Thomas Watson Steen -require,mutexify,MIT,Copyright (c) 2014 Mathias Buus -require,opentracing,MIT,Copyright 2016 Resonance Labs Inc -require,path-to-regexp,MIT,Copyright 2014 Blake Embrey -require,pprof-format,MIT,Copyright 2022 Stephen Belanger -require,protobufjs,BSD-3-Clause,Copyright 2016 Daniel Wirtz -require,tlhunter-sorted-set,MIT,Copyright (c) 2023 Datadog Inc. -require,retry,MIT,Copyright 2011 Tim Koschützki Felix Geisendörfer -require,rfdc,MIT,Copyright 2019 David Mark Clements -require,semifies,Apache license 2.0,Copyright Authors -require,shell-quote,mit,Copyright (c) 2013 James Halliday -require,source-map,BSD-3-Clause,Copyright (c) 2009-2011, Mozilla Foundation and contributors -require,ttl-set,MIT,Copyright (c) 2024 Thomas Watson -dev,@babel/helpers,MIT,Copyright (c) 2014-present Sebastian McKenzie and other contributors -dev,@types/chai,MIT,Copyright (c) Microsoft Corp. -dev,@types/mocha,MIT,Copyright (c) Microsoft Corp. -dev,@types/node,MIT,Copyright (c) Microsoft Corp. -dev,@types/sinon,MIT,Copyright (c) Microsoft Corp. -dev,@types/tap,MIT,Copyright (c) Microsoft Corp. -dev,@eslint/eslintrc,MIT,Copyright OpenJS Foundation and other contributors, -dev,@eslint/js,MIT,Copyright OpenJS Foundation and other contributors, -dev,@msgpack/msgpack,ISC,Copyright 2019 The MessagePack Community -dev,@openfeature/core,Apache-2.0,Copyright OpenFeature Authors -dev,@openfeature/server-sdk,Apache-2.0,Copyright OpenFeature Authors -dev,@stylistic/eslint-plugin,MIT,Copyright OpenJS Foundation and other contributors, -dev,axios,MIT,Copyright 2014-present Matt Zabriskie -dev,benchmark,MIT,Copyright 2010-2016 Mathias Bynens Robert Kieffer John-David Dalton -dev,body-parser,MIT,Copyright 2014 Jonathan Ong 2014-2015 Douglas Christopher Wilson -dev,bun,MIT,Copyright contributors -dev,chai,MIT,Copyright 2017 Chai.js Assertion Library -dev,eslint,MIT,Copyright JS Foundation and other contributors https://js.foundation -dev,eslint-plugin-cypress,MIT,Copyright (c) 2019 Cypress.io -dev,eslint-plugin-import,MIT,Copyright 2015 Ben Mosher -dev,eslint-plugin-jsdoc,BSD-3-Clause,Copyright Gajus Kuizinas -dev,eslint-plugin-mocha,MIT,Copyright 2014 Mathias Schreck -dev,eslint-plugin-n,MIT,Copyright 2015 Toru Nagashima -dev,eslint-plugin-promise,ISC,jden and other contributors -dev,eslint-plugin-unicorn,MIT,Copyright (c) Sindre Sorhus (https://sindresorhus.com) -dev,express,MIT,Copyright 2009-2014 TJ Holowaychuk 2013-2014 Roman Shtylman 2014-2015 Douglas Christopher Wilson -dev,glob,ISC,Copyright Isaac Z. Schlueter and Contributors -dev,globals,MIT,Copyright (c) Sindre Sorhus (https://sindresorhus.com) -dev,graphql,MIT,Copyright 2015 Facebook Inc. -dev,jszip,MIT,Copyright 2015-2016 Stuart Knightley and contributors -dev,mocha,MIT,Copyright 2011-2018 JS Foundation and contributors https://js.foundation -dev,mocha-multi-reporters,MIT,Copyright 2015-2019 Yousaf Nabi and Stanley Ng -dev,mocha-junit-reporter,MIT, Copyright 2015 Michael Allen -dev,multer,MIT,Copyright 2014 Hage Yaapa -dev,nock,MIT,Copyright 2017 Pedro Teixeira and other contributors -dev,nyc,ISC,Copyright 2015 Contributors -dev,octokit,MIT,Copyright 2023 Octokit contributors -dev,proxyquire,MIT,Copyright 2013 Thorsten Lorenz -dev,semver,ISC,Copyright Isaac Z. Schlueter and Contributors -dev,sinon,BSD-3-Clause,Copyright 2010-2017 Christian Johansen -dev,sinon-chai,WTFPL and BSD-2-Clause,Copyright 2004 Sam Hocevar 2012–2017 Domenic Denicola -dev,tap,ISC,Copyright 2011-2022 Isaac Z. Schlueter and Contributors -dev,tiktoken,MIT,Copyright (c) 2022 OpenAI, Shantanu Jain -dev,typescript,Apache license 2.0,Copyright Microsoft Corp. -dev,workerpool,Apache license 2.0,Copyright (C) 2014-2024 Jos de Jong wjosdejong@gmail.com -dev,yaml,ISC,Copyright Eemeli Aro -dev,yarn-deduplicate,Apache license 2.0,Copyright [yyyy] [name of copyright owner] -file,aws-lambda-nodejs-runtime-interface-client,Apache 2.0,Copyright 2019 Amazon.com Inc. or its affiliates. All Rights Reserved. -file,profile.proto,Apache license 2.0,Copyright 2016 Google Inc. -file,is-git-url,MIT,Copyright (c) 2017 Jon Schlinkert. +"component","origin","license","copyright" +"@datadog/flagging-core","https://github.com/DataDog/openfeature-js-client","['Apache-2.0']","['DataDog']" +"@datadog/libdatadog","https://github.com/DataDog/libdatadog-nodejs","['Apache-2.0']","['Datadog Inc.']" +"@datadog/native-appsec","https://github.com/DataDog/dd-native-appsec-js","['Apache-2.0']","['Datadog Inc.']" +"@datadog/native-iast-taint-tracking","https://github.com/DataDog/dd-native-iast-taint-tracking-js","['Apache-2.0']","['Datadog Inc.']" +"@datadog/native-metrics","https://github.com/DataDog/dd-native-metrics-js","['Apache-2.0']","['Datadog Inc.']" +"@datadog/openfeature-node-server","https://github.com/DataDog/openfeature-js-client","['Apache-2.0']","['DataDog']" +"@datadog/pprof","https://github.com/DataDog/pprof-nodejs","['Apache-2.0']","['Google Inc.']" +"@datadog/sketches-js","https://github.com/DataDog/sketches-js","['Apache-2.0']","['DataDog']" +"@datadog/wasm-js-rewriter","https://github.com/DataDog/dd-wasm-js-rewriter","['Apache-2.0']","['Datadog Inc.']" +"@isaacs/ttlcache","https://github.com/isaacs/ttlcache","['BlueOak-1.0.0']","['Isaac Z. Schlueter']" +"@jsep-plugin/assignment","https://github.com/EricSmekens/jsep","['MIT']","['Shelly']" +"@jsep-plugin/regex","https://github.com/EricSmekens/jsep","['MIT']","['Shelly']" +"@openfeature/server-sdk","https://github.com/open-feature/js-sdk","['Apache-2.0']","['open-feature']" +"@opentelemetry/api","https://github.com/open-telemetry/opentelemetry-js","['Apache-2.0']","['OpenTelemetry Authors']" +"@opentelemetry/api-logs","https://github.com/open-telemetry/opentelemetry-js","['Apache-2.0']","['OpenTelemetry Authors']" +"@opentelemetry/core","https://github.com/open-telemetry/opentelemetry-js","['Apache-2.0']","['OpenTelemetry Authors']" +"@opentelemetry/resources","https://github.com/open-telemetry/opentelemetry-js","['Apache-2.0']","['OpenTelemetry Authors']" +"@opentelemetry/semantic-conventions","https://github.com/open-telemetry/opentelemetry-js","['Apache-2.0']","['OpenTelemetry Authors']" +"@protobufjs/aspromise","https://github.com/protobufjs/protobuf.js","['BSD-3-Clause']","['Daniel Wirtz']" +"@protobufjs/base64","https://github.com/protobufjs/protobuf.js","['BSD-3-Clause']","['Daniel Wirtz']" +"@protobufjs/codegen","https://github.com/protobufjs/protobuf.js","['BSD-3-Clause']","['Daniel Wirtz']" +"@protobufjs/eventemitter","https://github.com/protobufjs/protobuf.js","['BSD-3-Clause']","['Daniel Wirtz']" +"@protobufjs/fetch","https://github.com/protobufjs/protobuf.js","['BSD-3-Clause']","['Daniel Wirtz']" +"@protobufjs/float","https://github.com/protobufjs/protobuf.js","['BSD-3-Clause']","['Daniel Wirtz']" +"@protobufjs/inquire","https://github.com/protobufjs/protobuf.js","['BSD-3-Clause']","['Daniel Wirtz']" +"@protobufjs/path","https://github.com/protobufjs/protobuf.js","['BSD-3-Clause']","['Daniel Wirtz']" +"@protobufjs/pool","https://github.com/protobufjs/protobuf.js","['BSD-3-Clause']","['Daniel Wirtz']" +"@protobufjs/utf8","https://github.com/protobufjs/protobuf.js","['BSD-3-Clause']","['Daniel Wirtz']" +"@types/node","https://github.com/DefinitelyTyped/DefinitelyTyped","['MIT']","['DefinitelyTyped']" +"acorn","https://github.com/acornjs/acorn","['MIT']","['acornjs']" +"acorn-import-attributes","https://github.com/xtuc/acorn-import-attributes","['MIT']","['Sven Sauleau']" +"argparse","https://github.com/nodeca/argparse","['Python-2.0']","['nodeca']" +"cjs-module-lexer","https://github.com/nodejs/cjs-module-lexer","['MIT']","['Guy Bedford']" +"crypto-randomuuid","npm:crypto-randomuuid","['MIT']","['Stephen Belanger']" +"dc-polyfill","https://github.com/DataDog/dc-polyfill","['MIT']","['Thomas Hunter II']" +"dd-trace","https://github.com/DataDog/dd-trace-js","['(Apache-2.0 OR BSD-3-Clause)']","['Datadog Inc. ']" +"delay","https://github.com/sindresorhus/delay","['MIT']","['Sindre Sorhus']" +"detect-newline","https://github.com/sindresorhus/detect-newline","['MIT']","['Sindre Sorhus']" +"escape-string-regexp","https://github.com/sindresorhus/escape-string-regexp","['MIT']","['Sindre Sorhus']" +"fast-fifo","https://github.com/mafintosh/fast-fifo","['MIT']","['Mathias Buus']" +"ignore","https://github.com/kaelzhang/node-ignore","['MIT']","['kael']" +"import-in-the-middle","https://github.com/nodejs/import-in-the-middle","['Apache-2.0']","['Bryan English']" +"istanbul-lib-coverage","https://github.com/istanbuljs/istanbuljs","['BSD-3-Clause']","['Krishnan Anantheswaran']" +"jest-docblock","https://github.com/jestjs/jest","['MIT']","['jestjs']" +"js-yaml","https://github.com/nodeca/js-yaml","['MIT']","['Vladimir Zapparov']" +"jsep","https://github.com/EricSmekens/jsep","['MIT']","['Stephen Oney']" +"jsonpath-plus","https://github.com/JSONPath-Plus/JSONPath","['MIT']","['Stefan Goessner']" +"limiter","https://github.com/jhurliman/node-rate-limiter","['MIT']","['John Hurliman']" +"lodash.sortby","https://github.com/lodash/lodash","['MIT']","['John-David Dalton']" +"long","https://github.com/dcodeIO/long.js","['Apache-2.0']","['Daniel Wirtz']" +"lru-cache","https://github.com/isaacs/node-lru-cache","['ISC']","['Isaac Z. Schlueter']" +"module-details-from-path","https://github.com/watson/module-details-from-path","['MIT']","['Thomas Watson']" +"mutexify","https://github.com/mafintosh/mutexify","['MIT']","['Mathias Buus']" +"node-addon-api","https://github.com/nodejs/node-addon-api","['MIT']","['nodejs']" +"node-gyp-build","https://github.com/prebuild/node-gyp-build","['MIT']","['Mathias Buus']" +"opentracing","https://github.com/opentracing/opentracing-javascript","['Apache-2.0']","['opentracing']" +"p-limit","https://github.com/sindresorhus/p-limit","['MIT']","['Sindre Sorhus']" +"path-to-regexp","https://github.com/pillarjs/path-to-regexp","['MIT']","['pillarjs']" +"pprof-format","https://github.com/DataDog/pprof-format","['MIT']","['Datadog Inc.']" +"protobufjs","https://github.com/protobufjs/protobuf.js","['BSD-3-Clause']","['Daniel Wirtz']" +"queue-tick","https://github.com/mafintosh/queue-tick","['MIT']","['Mathias Buus']" +"retry","https://github.com/tim-kos/node-retry","['MIT']","['Tim Koschützki']" +"rfdc","https://github.com/davidmarkclements/rfdc","['MIT']","['David Mark Clements']" +"semifies","https://github.com/holepunchto/semifies","['Apache-2.0']","['Holepunch Inc']" +"shell-quote","https://github.com/ljharb/shell-quote","['MIT']","['James Halliday']" +"source-map","https://github.com/mozilla/source-map","['BSD-3-Clause']","['Nick Fitzgerald']" +"spark-md5","https://github.com/satazor/js-spark-md5","['(WTFPL OR MIT)']","['André Cruz']" +"tlhunter-sorted-set","https://github.com/tlhunter/node-sorted-set","['MIT']","['Thomas Hunter II']" +"ttl-set","https://github.com/watson/ttl-set","['MIT']","['Thomas Watson']" +"undici-types","https://github.com/nodejs/undici","['MIT']","['nodejs']" +"yocto-queue","https://github.com/sindresorhus/yocto-queue","['MIT']","['Sindre Sorhus']" + From 99535de09e8e7a0e7960ea2dfbb53f70ccf3282c Mon Sep 17 00:00:00 2001 From: Thomas Watson Date: Sat, 22 Nov 2025 12:01:02 +0100 Subject: [PATCH 2/6] Update check_licenses.js script --- scripts/check_licenses.js | 90 ++++++++++++++++++++++++++------------- 1 file changed, 60 insertions(+), 30 deletions(-) diff --git a/scripts/check_licenses.js b/scripts/check_licenses.js index 87f9e4ffe90..d98e7950ad4 100644 --- a/scripts/check_licenses.js +++ b/scripts/check_licenses.js @@ -1,68 +1,98 @@ +/* eslint-disable no-console */ 'use strict' -const fs = require('fs') -const path = require('path') -const readline = require('readline') -const pkg = require(path.join(__dirname, '..', '/package.json')) +const { createReadStream } = require('node:fs') +const { join } = require('node:path') +const readline = require('node:readline') +const { execSync } = require('node:child_process') +const { name: rootPackageName } = require('../package.json') -const filePath = path.join(__dirname, '..', '/LICENSE-3rdparty.csv') -const deps = new Set(Object.keys(pkg.dependencies || {})) -const devDeps = new Set(Object.keys(pkg.devDependencies || {})) - -let index = 0 - -const licenses = { - require: new Set(), - dev: new Set(), - file: new Set() -} +const filePath = join(__dirname, '..', 'LICENSE-3rdparty.csv') +const deps = getProdDeps() +const licenses = new Set() +let isHeader = true const lineReader = readline.createInterface({ - input: fs.createReadStream(filePath) + input: createReadStream(filePath) }) lineReader.on('line', line => { - if (index !== 0) { - const columns = line.split(',') - const type = columns[0] - const license = columns[1] - - licenses[type].add(license) + if (isHeader) { + isHeader = false + return } - index++ + const trimmed = line.trim() + if (!trimmed) return // Skip empty lines + const columns = line.split(',') + const component = columns[0] + + // Strip quotes from the component name + licenses.add(component.replaceAll(/^"|"$/g, '')) }) lineReader.on('close', () => { - if (!checkLicenses(deps, 'require') || !checkLicenses(devDeps, 'dev')) { + if (!checkLicenses(deps)) { process.exit(1) } }) -function checkLicenses (typeDeps, type) { - /* eslint-disable no-console */ +function getProdDeps () { + // Add root package (dd-trace) to the set of dependencies manually as it is not included in the yarn list output. + const deps = new Set([rootPackageName]) + + // Use yarn to get full tree of production (non-dev) dependencies (format is ndjson) + const stdout = execSync('yarn list --production --json', { + encoding: 'utf8', + stdio: ['ignore', 'pipe', 'inherit'] + }) + + for (const line of stdout.split('\n')) { + if (!line) continue + const parsed = JSON.parse(line) + if (parsed.type === 'tree' && parsed.data && Array.isArray(parsed.data.trees)) { + collectFromTrees(parsed.data.trees, deps) + } + } + + return deps +} + +function collectFromTrees (trees, deps) { + for (const node of trees) { + if (typeof node?.name !== 'string') continue + + // Remove version from the package name (e.g. `@protobufjs/pool@1.1.0` -> `@protobufjs/pool`) + deps.add(node.name.slice(0, node.name.lastIndexOf('@'))) + + if (Array.isArray(node.children) && node.children.length) { + collectFromTrees(node.children, deps) + } + } +} +function checkLicenses (typeDeps) { const missing = [] const extraneous = [] for (const dep of typeDeps) { - if (!licenses[type].has(dep)) { + if (!licenses.has(dep)) { missing.push(dep) } } - for (const dep of licenses[type]) { + for (const dep of licenses) { if (!typeDeps.has(dep)) { extraneous.push(dep) } } if (missing.length) { - console.log(`Missing 3rd-party license for ${missing.join(', ')}.`) + console.error(`Missing 3rd-party license for ${missing.join(', ')}.`) } if (extraneous.length) { - console.log(`Extraneous 3rd-party license for ${extraneous.join(', ')}.`) + console.error(`Extraneous 3rd-party license for ${extraneous.join(', ')}.`) } return missing.length === 0 && extraneous.length === 0 From f3b0e5b5a541f35c6ef11248a45e798f8935e6fc Mon Sep 17 00:00:00 2001 From: Thomas Watson Date: Sat, 22 Nov 2025 14:00:17 +0100 Subject: [PATCH 3/6] Add GitHub Actions workflow to automate updating --- .github/scripts/update-3rdparty-licenses.sh | 44 ++++++++++ .../workflows/update-3rdparty-licenses.yml | 81 +++++++++++++++++++ 2 files changed, 125 insertions(+) create mode 100755 .github/scripts/update-3rdparty-licenses.sh create mode 100644 .github/workflows/update-3rdparty-licenses.yml diff --git a/.github/scripts/update-3rdparty-licenses.sh b/.github/scripts/update-3rdparty-licenses.sh new file mode 100755 index 00000000000..6326996ffcc --- /dev/null +++ b/.github/scripts/update-3rdparty-licenses.sh @@ -0,0 +1,44 @@ +#!/usr/bin/env bash + +set -e + +if git diff --exit-code LICENSE-3rdparty.csv; then + echo "✅ LICENSE-3rdparty.csv is already up to date" +else + echo "📝 LICENSE-3rdparty.csv was modified by license attribution command" + + PR_AUTHOR="${PR_AUTHOR:-}" + PR_USER_TYPE="${PR_USER_TYPE:-}" + + if [[ "$PR_USER_TYPE" == "Bot" ]] && [[ "${GITHUB_EVENT_NAME:-}" == "pull_request" ]]; then + echo "🤖 Bot-created PR detected. Auto-committing LICENSE-3rdparty.csv changes..." + + git config --local user.email "action@github.com" + git config --local user.name "GitHub Action" + + git add LICENSE-3rdparty.csv + git commit -m "Update LICENSE-3rdparty.csv" + + git push origin HEAD:${GITHUB_HEAD_REF} + + echo "✅ Successfully committed and pushed LICENSE-3rdparty.csv updates" + else + echo "❌ The LICENSE-3rdparty.csv file needs to be updated!" + echo "" + echo "The license attribution command has modified LICENSE-3rdparty.csv." + echo "" + echo "To fix this issue:" + echo "1. Set up dd-license-attribution locally by following the installation instructions in:" + echo " https://github.com/DataDog/dd-license-attribution" + echo "2. Run the license CSV generation command locally:" + echo " dd-license-attribution generate-sbom-csv \\" + echo " --no-scancode-strategy \\" + echo " --no-github-sbom-strategy \\" + echo " https://github.com/datadog/dd-trace-js > LICENSE-3rdparty.csv" + echo "3. Commit the updated LICENSE-3rdparty.csv file" + echo "4. Push your changes" + echo "" + echo "This helps keep the 3rd-party license information accurate." + exit 1 + fi +fi diff --git a/.github/workflows/update-3rdparty-licenses.yml b/.github/workflows/update-3rdparty-licenses.yml new file mode 100644 index 00000000000..aa9077662d2 --- /dev/null +++ b/.github/workflows/update-3rdparty-licenses.yml @@ -0,0 +1,81 @@ +name: Update 3rd-party licenses + +on: + pull_request_target: + branches: + - master + paths: + - 'yarn.lock' + +jobs: + update-3rdparty-licenses: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: write + pull-requests: write + env: + REPOSITORY_URL: ${{ github.server_url }}/${{ github.repository }} + steps: + - name: Check out PR branch + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Get GitHub token with appropriate permissions + uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3 + id: octo-sts + with: + scope: DataDog + policy: dd-trace-js-license-attribution-read + + - name: Set up Python + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + with: + python-version: '3.14' + + - name: Check out dd-license-attribution + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + repository: DataDog/dd-license-attribution + ref: 8a4624fd08a16717ffbf92d389e65fa609a4f067 + path: dd-license-attribution + + - name: Install dd-license-attribution + working-directory: dd-license-attribution + run: | + pip install . + + - name: Create mirrors.json for PR branch + env: + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + HEAD_REF: ${{ github.head_ref }} + run: | + cat > mirrors.json < LICENSE-3rdparty.csv + + - name: Run LICENSE-3rdparty.csv update check + env: + PR_AUTHOR: ${{ github.event.pull_request.user.login }} + PR_USER_TYPE: ${{ github.event.pull_request.user.type }} + GITHUB_EVENT_NAME: ${{ github.event_name }} + run: ./.github/scripts/update-3rdparty-licenses.sh From 70c2879c96cef6edaf9c5ca9595ecef994f70cdd Mon Sep 17 00:00:00 2001 From: Thomas Watson Date: Wed, 26 Nov 2025 12:52:41 +0100 Subject: [PATCH 4/6] Add support for vendored dependencies --- .github/scripts/update-3rdparty-licenses.sh | 6 ++-- .github/vendored-dependencies.csv | 2 ++ .../workflows/update-3rdparty-licenses.yml | 4 +++ LICENSE-3rdparty.csv | 3 +- packages/dd-trace/src/lambda/runtime/ritm.js | 2 +- scripts/check_licenses.js | 28 ++++++++++++++++++- 6 files changed, 40 insertions(+), 5 deletions(-) create mode 100644 .github/vendored-dependencies.csv diff --git a/.github/scripts/update-3rdparty-licenses.sh b/.github/scripts/update-3rdparty-licenses.sh index 6326996ffcc..38cab654934 100755 --- a/.github/scripts/update-3rdparty-licenses.sh +++ b/.github/scripts/update-3rdparty-licenses.sh @@ -35,8 +35,10 @@ else echo " --no-scancode-strategy \\" echo " --no-github-sbom-strategy \\" echo " https://github.com/datadog/dd-trace-js > LICENSE-3rdparty.csv" - echo "3. Commit the updated LICENSE-3rdparty.csv file" - echo "4. Push your changes" + echo "3. Append vendored dependencies:" + echo " cat .github/vendored-dependencies.csv >> LICENSE-3rdparty.csv" + echo "4. Commit the updated LICENSE-3rdparty.csv file" + echo "5. Push your changes" echo "" echo "This helps keep the 3rd-party license information accurate." exit 1 diff --git a/.github/vendored-dependencies.csv b/.github/vendored-dependencies.csv new file mode 100644 index 00000000000..c3656bb8e21 --- /dev/null +++ b/.github/vendored-dependencies.csv @@ -0,0 +1,2 @@ +"aws-lambda-nodejs-runtime-interface-client","https://github.com/aws/aws-lambda-nodejs-runtime-interface-client/blob/v2.1.0/src/utils/UserFunction.ts","['Apache-2.0']","['Amazon.com Inc. or its affiliates']" +"is-git-url","https://github.com/jonschlinkert/is-git-url/blob/396965ffabf2f46656c8af4c47bef1d69f09292e/index.js#L9C15-L9C87","['MIT']","['Jon Schlinkert']" diff --git a/.github/workflows/update-3rdparty-licenses.yml b/.github/workflows/update-3rdparty-licenses.yml index aa9077662d2..153e6b11795 100644 --- a/.github/workflows/update-3rdparty-licenses.yml +++ b/.github/workflows/update-3rdparty-licenses.yml @@ -73,6 +73,10 @@ jobs: --no-github-sbom-strategy \ "${REPOSITORY_URL}" > LICENSE-3rdparty.csv + - name: Append vendored dependencies + run: | + cat .github/vendored-dependencies.csv >> LICENSE-3rdparty.csv + - name: Run LICENSE-3rdparty.csv update check env: PR_AUTHOR: ${{ github.event.pull_request.user.login }} diff --git a/LICENSE-3rdparty.csv b/LICENSE-3rdparty.csv index 00b829f8bb2..0b03e88513b 100644 --- a/LICENSE-3rdparty.csv +++ b/LICENSE-3rdparty.csv @@ -70,4 +70,5 @@ "ttl-set","https://github.com/watson/ttl-set","['MIT']","['Thomas Watson']" "undici-types","https://github.com/nodejs/undici","['MIT']","['nodejs']" "yocto-queue","https://github.com/sindresorhus/yocto-queue","['MIT']","['Sindre Sorhus']" - +"aws-lambda-nodejs-runtime-interface-client","https://github.com/aws/aws-lambda-nodejs-runtime-interface-client/blob/v2.1.0/src/utils/UserFunction.ts","['Apache-2.0']","['Amazon.com Inc. or its affiliates']" +"is-git-url","https://github.com/jonschlinkert/is-git-url/blob/396965ffabf2f46656c8af4c47bef1d69f09292e/index.js#L9C15-L9C87","['MIT']","['Jon Schlinkert']" diff --git a/packages/dd-trace/src/lambda/runtime/ritm.js b/packages/dd-trace/src/lambda/runtime/ritm.js index 960e7fd7cd9..f3d5a8e8d12 100644 --- a/packages/dd-trace/src/lambda/runtime/ritm.js +++ b/packages/dd-trace/src/lambda/runtime/ritm.js @@ -3,7 +3,7 @@ * Modifications copyright 2022 Datadog, Inc. * * Some functions are part of aws-lambda-nodejs-runtime-interface-client - * https://github.com/aws/aws-lambda-nodejs-runtime-interface-client/blob/main/src/utils/UserFunction.ts + * https://github.com/aws/aws-lambda-nodejs-runtime-interface-client/blob/v2.1.0/src/utils/UserFunction.ts */ 'use strict' diff --git a/scripts/check_licenses.js b/scripts/check_licenses.js index d98e7950ad4..5325ca1fe0e 100644 --- a/scripts/check_licenses.js +++ b/scripts/check_licenses.js @@ -1,7 +1,7 @@ /* eslint-disable no-console */ 'use strict' -const { createReadStream } = require('node:fs') +const { createReadStream, existsSync } = require('node:fs') const { join } = require('node:path') const readline = require('node:readline') const { execSync } = require('node:child_process') @@ -55,6 +55,9 @@ function getProdDeps () { } } + // Add vendored dependencies + addVendoredDeps(deps) + return deps } @@ -71,6 +74,29 @@ function collectFromTrees (trees, deps) { } } +function addVendoredDeps (deps) { + const vendoredDepsPath = join(__dirname, '..', '.github', 'vendored-dependencies.csv') + + // If the vendored dependencies file doesn't exist, skip + if (!existsSync(vendoredDepsPath)) { + return + } + + const fs = require('node:fs') + const content = fs.readFileSync(vendoredDepsPath, 'utf8') + + for (const line of content.split('\n')) { + const trimmed = line.trim() + if (!trimmed) continue // Skip empty lines + + const columns = line.split(',') + const component = columns[0] + + // Strip quotes from the component name and add to deps + deps.add(component.replaceAll(/^"|"$/g, '')) + } +} + function checkLicenses (typeDeps) { const missing = [] const extraneous = [] From 46a60dc335edaebdf8c46f8a43298751c1177ba5 Mon Sep 17 00:00:00 2001 From: Thomas Watson Date: Sat, 22 Nov 2025 14:04:22 +0100 Subject: [PATCH 5/6] tmp: force change in yarn.lock --- yarn.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yarn.lock b/yarn.lock index ccb51b103f3..f7368a3b160 100644 --- a/yarn.lock +++ b/yarn.lock @@ -4551,7 +4551,7 @@ source-map-support@^0.5.16: integrity sha512-uBHU3L3czsIyYXKX88fdrGovxdSCoTGDRZ6SYXtSRxLZUzHg5P/66Ht6uoUlHu9EZod+inXhKo3qQgwXUT/y1w== dependencies: buffer-from "^1.0.0" - source-map "^0.6.0" + source-map "^0.6.0" source-map@^0.6.0, source-map@^0.6.1: version "0.6.1" From 630cc074417db6d3360a95087e5cd3ea630f0ad5 Mon Sep 17 00:00:00 2001 From: Thomas Watson Date: Fri, 28 Nov 2025 11:53:02 +0100 Subject: [PATCH 6/6] Revert "tmp: force change in yarn.lock" This reverts commit 46a60dc335edaebdf8c46f8a43298751c1177ba5. --- yarn.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yarn.lock b/yarn.lock index f7368a3b160..ccb51b103f3 100644 --- a/yarn.lock +++ b/yarn.lock @@ -4551,7 +4551,7 @@ source-map-support@^0.5.16: integrity sha512-uBHU3L3czsIyYXKX88fdrGovxdSCoTGDRZ6SYXtSRxLZUzHg5P/66Ht6uoUlHu9EZod+inXhKo3qQgwXUT/y1w== dependencies: buffer-from "^1.0.0" - source-map "^0.6.0" + source-map "^0.6.0" source-map@^0.6.0, source-map@^0.6.1: version "0.6.1"