Oh, hmm maybe I checked it wrong, but I just looked at https://github.com/pyscript/pyscript/blob/main/core/package.json#L85, which shows a dependency on https://www.npmjs.com/package/@webreflection/toml-j0.4, the license of which is "none" and the linked Github page of which 404s.

I'm not entirely sure just having the comment /*! (c) Jak Wings - MIT */ at the start of the file complies with this section of the MIT license:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

But that's alright, I'll just add the full license you linked above in our repo manually.

Thank you for clearing this up!

we want to comply with licenses too so if the issue in here is that the provided dependency has malformed package.json or one that does not work in practice we can fix that.

About having the whole license in each dependency, that's not how anyone else out there uses CDNs services or bundlers so, as long as it's clear we depend on that module, that module points at the right repo on npm and the license field in there is correct, I think we should be OK?

Well, sort of. CDNs actually allow you to inspect the contents of a package directly.

For example, you might just load https://cdn.jsdelivr.net/npm/@webreflection/toml-j0.4@1.1.3/toml.js on your page, but if someone sees this, they can easily look at https://cdn.jsdelivr.net/npm/@webreflection/toml-j0.4@1.1.3/ and find LICENSE there. The CDN is storing the "copy of the Software" as a web-accessible folder and they "include" "The above copyright notice and this permission notice", just like the license requires.

I don't know any CDNs that don't allow you to do this sort of inspection, and I believe this is precisely how they're complying with these licensing terms.

The way you're handling it in your repo does not comply with that from what I can tell, as the "copy of the Software" does not "include" "The above copyright notice and this permission notice". However, I'm not a lawyer, so I can't say for sure.

In any case, even if what you said ("we depend on that module, that module points at the right repo on npm and the license field in there is correct") was actually sufficient to comply with the license, this is not the case in this instance. The license field on npm is not correct, that's precisely why I thought there was a licensing issue here to begin with.

OK, I've updated the package.json and re-published it ... it will be part of our next PyScript release ... are we good? https://www.npmjs.com/package/@webreflection/toml-j0.4

Looks good to me!

here is where we bundle 3rd party libraries https://github.com/pyscript/pyscript/blob/main/core/rollup/3rd-party.cjs

we could add a link on top of these that points explicitly at the jsdelvr CDN that provides that content so allow people surfing those packages ... we do this at build time only to allow offline usage through a package that contains those 3rd party dist, otherwise we could just grab (as we do already) those files via the CDN itself at runtime ... but that would break the offline use case.

So ... would a link to the original source file at the CDN as it's served from the CDN solve all your concerns?