Handling of "OR"

[brettz9]

Hi!

Great package and concept. Also appreciated the Medium.com write-up.

I noticed that when providing the details of licenses, "[email protected]", whose license is listed as "GPL-3.0-or-later OR MIT" is categorized as "Protective". Since the "OR" is present with the permissive MIT, I would think it should go with "Permissive" instead. Only for "AND" would it make sense I think to be "Protective".

[brettz9]

I think the problem is in getLicenseType. Trying "GPL-3.0-or-later OR MIT" gives "protective". while "GPL-3.0-or-later OR Artistic-2.0" gives "permissive".

[brettz9]

And the source of that problem is that in satisfies, spdx-correct is used on the "GPL-3.0-or-later OR MIT" argument, giving "GPL-3.0", and upgrade: false is not used as it can be in at least the later versions of spdx-correct. I'm guessing you need to upgrade versions.

[KroneckerDeIta]

Just had this issue pop with the package:

https://github.com/Stuk/jszip

as they have changed their license field from:

(MIT OR GPL-3.0)

in version 3.6.0 to:

(MIT OR GPL-3.0-or-later)

in versions 3.7.0 and 3.7.1 and now thinks it is protective. At the moment I have downgraded to 3.6.0 as our builds fail when npm-consider returns 1, but would be really good if this library can be updated (pull request accepted).

[brettz9]

As the author has not replied and seems to have abandoned the project, I created a fork, npm-reflect which should address this issue (try v1.0.0) as well as some others (as well as adding a new "Use or Modify Protective" category and adding some updates). No guarantees how well I'll maintain it, but can offer well-documented PRs or issues.

Would be most grateful if anyone could help adding tests.