Skip to content

Include LICENSE file in published SignalR npm packages#67496

Open
BrennanConroy wants to merge 4 commits into
mainfrom
brennanconroy-signalr-npm-license
Open

Include LICENSE file in published SignalR npm packages#67496
BrennanConroy wants to merge 4 commits into
mainfrom
brennanconroy-signalr-npm-license

Conversation

@BrennanConroy

Copy link
Copy Markdown
Member

Summary

The published @microsoft/signalr and @microsoft/signalr-protocol-msgpack npm packages do not contain the project LICENSE file. While both correctly set the license field in package.json, many OSS compliance and license-scanning tools rely on the full license text being present as a LICENSE file in the package, and currently report it as missing.

The license only exists at the repo root (LICENSE.txt), so npm pack (which runs per package directory) never picked it up.

Approach

The npm packages are produced by eng/scripts/npm/pack-workspace.mjs, which runs npm pack <packageDir> for each public workspace package. This change copies the repo-root LICENSE.txt into each package directory just before npm pack, and removes it afterward in a finally block so no build artifact is left behind in the source tree (mirroring the existing version-bump/rename cleanup pattern).

No changes to the files allowlists are required: npm always includes a top-level LICENSE file in the tarball, even when files is specified.

Notes

  • Because the fix lives in the shared pack script, the license is now also shipped in the third public package built here, @microsoft/dotnet-js-interop. They are all the same MIT-licensed repo, so this is correct and consistent.

Verification

  • npm pack --dry-run against the real @microsoft/signalr package (with the LICENSE copied in) shows LICENSE.txt included in the tarball, and the source tree is clean afterward.
  • Confirmed via an isolated test that npm auto-includes a top-level LICENSE.txt even when a restrictive files allowlist is set.

Fixes #67486

The published @microsoft/signalr and @microsoft/signalr-protocol-msgpack npm packages did not contain the project LICENSE file, which OSS compliance tools rely on. The license only existed at the repo root, so npm pack never picked it up.

Copy the repo-root LICENSE.txt into each package directory before npm pack and remove it afterward. npm always includes a top-level LICENSE file in the tarball, even with a files allowlist, so no package.json changes are needed. This also covers @microsoft/dotnet-js-interop.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 30, 2026 18:56
@BrennanConroy BrennanConroy requested review from a team and wtgodbe as code owners June 30, 2026 18:57
@BrennanConroy BrennanConroy requested a review from javiercn June 30, 2026 18:59

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the shared npm packing workflow to ensure the repository’s root MIT license text (LICENSE.txt) is included in the published tarballs for the public workspace packages (notably @microsoft/signalr and @microsoft/signalr-protocol-msgpack), improving compatibility with license scanning/compliance tooling.

Changes:

  • Copy repo-root LICENSE.txt into each package directory immediately before npm pack.
  • Ensure the copied license file is removed afterward via a finally block to avoid leaving build artifacts in the source tree.
Show a summary per file
File Description
eng/scripts/npm/pack-workspace.mjs Copies LICENSE.txt into each workspace package before packing and cleans it up afterward.

Copilot's findings

  • Files reviewed: 1/1 changed files
  • Comments generated: 2
Comment on lines 81 to 82
const packageFileName = `${normalizedPackageName}-${packageVersion}.tgz`;
const packageTarball = resolve(packageDir, `${packageFileName}`);
Comment thread eng/scripts/npm/pack-workspace.mjs
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Comment thread eng/scripts/npm/pack-workspace.mjs Outdated
@BrennanConroy BrennanConroy requested a review from halter73 as a code owner June 30, 2026 23:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants