Dependency Governance
License review and dependency intake governance for all external libraries and packages
Tags
Overview
Purpose
License review and dependency intake governance for all external libraries and packages
Rules
DEP-001: ALWAYS review license before adopting ANY external dependency. Document license in dependency declaration.
Undiscovered license restrictions can force code removal or legal exposure after deep integration. Review at intake is orders of magnitude cheaper than remediation.
Verification: PR review: new dependency additions include license type in commit message or PR description.
DEP-002: PREFER permissive licenses (MIT, Apache 2.0, BSD) with NO usage restrictions.
Permissive licenses allow commercial use, modification, and distribution without copyleft obligations. They maximize downstream flexibility.
Verification: Dependency audit: all dependencies use permissive licenses unless explicitly approved.
DEP-003: AVOID: GPL (viral copyleft), AGPL (network copyleft), proprietary with usage restrictions.
GPL/AGPL copyleft provisions can require releasing derivative work under the same license. Proprietary restrictions limit distribution and modification rights.
Verification: CI gate: dependency license scanner flags GPL/AGPL/proprietary dependencies.
DEP-004: When license has ANY restriction, document it explicitly and get explicit approval before use.
Implicit acceptance of restrictions creates hidden obligations. Explicit documentation and approval creates an audit trail and informed consent.
Verification: Decision record exists for any non-permissive dependency with documented restrictions and approval.
DEP-005: If preferred library has restrictive license, RESEARCH alternatives with permissive licenses first.
Most capability domains have multiple competing libraries. A 10-minute search for permissive alternatives prevents long-term license entanglement.
Verification: PR review: if restrictive license chosen, alternatives section documents what was evaluated.