shredbx logo
shredbx shredbx shredbx shredbx Personal
  • Home
  • Lab
  • Portfolio
  • Experience
  • Services
  • Profile
  • Contact
AClaude
  • Home
  • Lab
  • Portfolio
  • Experience
  • Services
  • Profile
  • Contact
Andrei Solovev
Knowledge
Search knowledge... ⌘K
Knowledge · Rules · Process

Dependency Governance

License review and dependency intake governance for all external libraries and packages

Andrei Solovev

Tags

rule

Overview

Purpose

License review and dependency intake governance for all external libraries and packages

Rules

DEP-001: ALWAYS review license before adopting ANY external dependency. Document license in dependency declaration.

Undiscovered license restrictions can force code removal or legal exposure after deep integration. Review at intake is orders of magnitude cheaper than remediation.

Verification: PR review: new dependency additions include license type in commit message or PR description.

DEP-002: PREFER permissive licenses (MIT, Apache 2.0, BSD) with NO usage restrictions.

Permissive licenses allow commercial use, modification, and distribution without copyleft obligations. They maximize downstream flexibility.

Verification: Dependency audit: all dependencies use permissive licenses unless explicitly approved.

DEP-003: AVOID: GPL (viral copyleft), AGPL (network copyleft), proprietary with usage restrictions.

GPL/AGPL copyleft provisions can require releasing derivative work under the same license. Proprietary restrictions limit distribution and modification rights.

Verification: CI gate: dependency license scanner flags GPL/AGPL/proprietary dependencies.

DEP-004: When license has ANY restriction, document it explicitly and get explicit approval before use.

Implicit acceptance of restrictions creates hidden obligations. Explicit documentation and approval creates an audit trail and informed consent.

Verification: Decision record exists for any non-permissive dependency with documented restrictions and approval.

DEP-005: If preferred library has restrictive license, RESEARCH alternatives with permissive licenses first.

Most capability domains have multiple competing libraries. A 10-minute search for permissive alternatives prevents long-term license entanglement.

Verification: PR review: if restrictive license chosen, alternatives section documents what was evaluated.

shredbx logo shredbx shredbx shredbx shredbx Andrei Solovev

Solution Architect & Lead Software Engineer

ExperiencePortfolioResearch & ExperimentsEducationCertificationSkills
GitHub ↗LinkedIn ↗Email ↗
AVAILABLE FOR NEW PROJECTS
// MY LATEST BEATS
Hobby & Interests

Lab

  • The Lab
  • Framework
  • Components
  • Packages
  • Games
  • Process (SDLC)
  • Knowledge
  • Blog

Andrei

  • Portfolio
  • Experience
  • Services
  • Profile
  • Contact
  • Lifestyle

Team

  • Team
  • Andrei
  • Claude

Legal

  • Privacy
  • Terms
  • Cookies
© 2026 shredbx.com. All rights reserved. — Andrei Solovev |