Scope
Dependabot tracks dependency versions (and CVE alerts). It does not check the licenses of transitive dependencies. A new transitive dependency with an incompatible license (GPL, AGPL, OSL, business-source) silently leaks into a derivative work distributed under MIT — a real procurement / legal exposure for downstream consumers.
The deferred work is a license-audit workflow using dotnet-licenses / FOSSA / Snyk Open Source / similar that enumerates every transitive package, captures its declared license, and fails the build on incompatible / unknown licenses.
Acceptance criteria
- A
license-audit.yaml workflow runs on PR + scheduled.
- Findings produce a
THIRD-PARTY-NOTICES.md (or similar) generated automatically per release; license attribution is shipped in the NuGet package per the licenses' requirements.
- A documented allowlist (MIT / Apache-2.0 / BSD-2-Clause / BSD-3-Clause / similar) gates new packages; anything else needs explicit reviewer approval recorded in the PR.
- A baseline scan of the current
main documents current dependencies + licenses.
Notes
Scope
Dependabot tracks dependency versions (and CVE alerts). It does not check the licenses of transitive dependencies. A new transitive dependency with an incompatible license (GPL, AGPL, OSL, business-source) silently leaks into a derivative work distributed under MIT — a real procurement / legal exposure for downstream consumers.
The deferred work is a license-audit workflow using
dotnet-licenses/ FOSSA / Snyk Open Source / similar that enumerates every transitive package, captures its declared license, and fails the build on incompatible / unknown licenses.Acceptance criteria
license-audit.yamlworkflow runs on PR + scheduled.THIRD-PARTY-NOTICES.md(or similar) generated automatically per release; license attribution is shipped in the NuGet package per the licenses' requirements.maindocuments current dependencies + licenses.Notes