Is your feature request related to a problem? Please describe.
When using the allow-dependencies-licenses configuration, it only allows for specifying specific packages and not their particular license. This is an issue if a dependency you've previously allowed, changes their license to something more restrictive.
Describe the solution you'd like
Use PURL qualifiers (or subpaths) to allow optional filtering of specific licenses for specific dependencies.
Example:
pkg:npm/@foo/bar?license=GPL-1.0-or-later
- If this package changes to a different license in my
deny_licenses field, then it should fail.
- Not specifying license should retain existing behaviour of a "blanket" allow.
Describe alternatives you've considered
There are no alternatives.
Additional context
N/A
Is your feature request related to a problem? Please describe.
When using the
allow-dependencies-licensesconfiguration, it only allows for specifying specific packages and not their particular license. This is an issue if a dependency you've previously allowed, changes their license to something more restrictive.Describe the solution you'd like
Use PURL qualifiers (or subpaths) to allow optional filtering of specific licenses for specific dependencies.
Example:
pkg:npm/@foo/bar?license=GPL-1.0-or-laterdeny_licensesfield, then it should fail.Describe alternatives you've considered
There are no alternatives.
Additional context
N/A