MIT vs AGPL in NPM

[mensfeld]

Hey, this package is an AGPL but it is presented in NPM and NPM API as MIT:

I also checked the package.json of the newest release and same applies. This may be confusing to users that use NPM as a base for their operations.

[MichalCz]

Hi @mensfeld,

Indeed this should be clearly shown as AGPL - we'll address this.

This is due the dual licensing we use for the Transform Hub and the runners (these are linked with your programs, but still over a standard protocol, so there's no license leakage), but indeed this should be clearly stated.

If you have any suggestions, please feel free to give us a hint and reasoning to any changes.

[mensfeld]

I don't have any more suggestions. I'm just doing some licenses related lookups and checks and found this discrepancy. It may be an issue for anyone generating SBOMs in scale using the NPM APIs especially. Thanks for your reply!

[MichalCz]

Hi @mensfeld,

After double-checking: actually this is intentional - some packages in the repo are licensed as AGPL (where we want to keep the development of the software free, but open to anyone - at least for now), but the packages that may directly link to your code (api clients, runners, tooling) are licensed under MIT to make this licensing safe.

In essence:

• If you intend to modify/customize the transform-hub code we would ask you to release the changes (at least to your users).
• If you intend to use the transform-hub the code you're linking against should not automatically trigger AGPL license on your code.

We do intend to change the license to GPL (probably at version 1.0.0), since we already have sufficient userbase, but the code linking parts will stay as MIT so that linking is safe for commercial use.