"Invalid SPDX License" after upgrading JSTS package

[mprins]

After upgrading the JSTS package from 2.10.0 to 2.11.0 we're getting the message that it has an "Invalid SPDX License" "(EDL-1.0 OR EPL-1.0)" (the license information has not changed in 7 years

We're using the following configuration

  dependency-review:
    name: 'Dependency Review'
    if: ${{ github.event_name == 'pull_request' }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@v4

      - uses: actions/dependency-review-action@v3
        with:
          deny-licenses: GPL-2.0+, AGPL-3.0+

see https://github.com/B3Partners/tailormap-viewer/actions/runs/6323648494?pr=484 for the logs/output.

Do you have any hints or ideas?

possibly related to #559

[febuiles]

I've reproduced this succesfully in https://github.com/future-funk/cuddly-octo-bassoon/actions/runs/6330878481/job/17194265977?pr=1. My guess is that our SPDX parser is having issues with OR expressions, but I will need to take a closer look. Will report my findings back!

[mprins]

thanks for looking into this.

I'm not sure what the authorative source is for license keys, but I see it is lacking from https://spdx.org/licenses/

The EDL-1.0 key was rejected as described on https://wiki.spdx.org/view/Legal_Team/License_List/Licenses_Under_Consideration for being identical to BSD-3-Clause.
Still, none of these are recent changes...

[febuiles]

@mprins The list of licenses for NPM, Maven and Composer was recently refreshed. I'm guessing that since this is an older package there was no license set for it before. Thanks for the EDL pointer, I'll see if we can get this updated.

[febuiles]

I updated the license for [email protected] by asking ClearlyDefined to harvest the package. Although the invalid EDL license was removed, the resulting expression is still marked invalid by the SPDX parser. Sample run here: https://github.com/future-funk/cuddly-octo-bassoon/actions/runs/6330878481/job/17558844147