Skip to content

[BUG] Packages in allow-dependencies-licenses not picked up correctly #947

New issue
New issue
Open
#968
Open
[BUG] Packages in allow-dependencies-licenses not picked up correctly#947
#968
Labels
bugSomething isn't working
@mathiasquatorze

Description

@mathiasquatorze
mathiasquatorze
opened on Jul 21, 2025

Describe the bug
We ran into the issue: package-lock.json » @microsoft/[email protected] – License: LGPL-2.1-or-later AND LicenseRef-scancode-generic-cla AND MIT, which is expected. Our allowed licenses does not contain "LGPL-2.1-or-later AND LicenseRef-scancode-generic-cla AND MIT".
When we add the package to allow-dependencies-licenses, it is still not allowed:

allow-dependencies-licenses:
  - "pkg:npm/@microsoft/[email protected]"

This package is not directly updated in our package-json, but rather the package-lock.
This change is caused by updating pkg:npm/applicationinsights to 3.7.0, which updates its dependencies to 3.3.9.

We see the same issue in:

  - "pkg:npm/@microsoft/[email protected]"
  - "pkg:npm/@microsoft/[email protected]"
  - "pkg:npm/@microsoft/[email protected]"
  - "pkg:npm/@microsoft/[email protected]"
  - "pkg:npm/@microsoft/[email protected]"
  - "pkg:npm/@microsoft/[email protected]"
  - "pkg:npm/@microsoft/[email protected]"
  - "pkg:npm/@microsoft/[email protected]"

To Reproduce
Steps to reproduce the behavior:

  1. Update pkg:npm/applicationinsights to 3.7.0 in package.json
  2. Verify that dependencies are updated to 3.3.9
    3.Ensure that the license "LGPL-2.1-or-later AND LicenseRef-scancode-generic-cla AND MIT" is not allowed. (It is incorrect, but I opened a change in clearly defined).
  3. See error
  4. Try to update the allow-dependencies-licenses to allow any of the packages above
  5. Continue seeing error

Expected behavior
I expected the license error to go away once I add the packages and their versions to allow-dependencies-licenses.

Screenshots

Action version
4.7.1 (latest as of the time of this issue)

Note: if you're not running the latest release please try that first!

Examples
N/A

If you have encountered a problem with a specific package (e.g. issue with license or attributions data) please share details about the package, as well as a link to the manifest where it's being referenced.

https://www.npmjs.com/package/@microsoft/applicationinsights-analytics-js
https://www.npmjs.com/package/@microsoft/applicationinsights-cfgsync-js
https://www.npmjs.com/package/@microsoft/applicationinsights-channel-js

As examples

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions