[Improvement] Fix Web UI compliance with ASF licensing policy

[justinmclean]

What would you like to be improved?

The CC-By-4.0 license is a bit problematic [1]. As described in LEGAL-678 [2] Can I Use Lite can only be used where it is a compile-time or developer dependency. For our project, it looks to be a production dependency:

pnpm licenses list --prod | grep caniuse

│ caniuse-lite                                 │ CC-BY-4.0    

pnpm list --prod --depth=Infinity | grep caniuse

├── caniuse-lite 1.0.30001639

1. https://www.apache.org/legal/resolved.html#cc-by
2. https://issues.apache.org/jira/browse/LEGAL-678

Note that two bits of software marked as unknown are actually public domain (fast-shallow-equal and react-universal-interface).

How should we improve?

No response

[justinmclean]

Note caniuse-lite 1.0.30001639 is a production dependency of next 14.2.21. It is also a developer dependency of autoprefixer 10.4.19.

[LauraXia123]

https://issues.apache.org/jira/browse/LEGAL-678

As discussed, caniuse is only used to build the project and does not appear in the final built project file.
I grep on the final built project file(dist/ui), and found nothing about caniuse-lite
grep -r "caniuse-lite" dist/ui/
grep -r "caniuse" dist/ui/

caniuse-lite is a production dependency of next, because next need the package to be present when building our app, it's work for next build/next dist (script) And the final built project file will not include the package. (At the moment I can only prove it by grep)

[justinmclean]

As you can see above, this is not correct it's a production dependency, not a development dependency.

[justinmclean]

Also, If you also look at issues like [1] you see it's checking if its DB is up to date when running, not compiling.

1. I recently started getting the "Browserslist: caniuse-lite is outdated" warning vercel/next.js#13135

[LauraXia123]

Also, If you also look at issues like [1] you see it's checking if its DB is up to date when running, not compiling.

1. I recently started getting the "Browserslist: caniuse-lite is outdated" warning vercel/next.js#13135

Only setup by next dev(development mode) and next build(compiling). This is development mode above.
In gravitino, we build web ui by export mode, caniuse only work on compiling.

[justinmclean]

We need to prove that it is not used in production. How can we do this? So far all available evidence points to it being a production dependancy.

[LauraXia123]

Here's my analysis report:
https://docs.google.com/document/d/1fyH1KGPGO3upR8cVQn0bzZbyPM2ePhBMc6X5KVmqWME/edit?tab=t.0

[justinmclean]

I'm a little confused by that report, it seems to show that caniuse is used in production. It doesn't matter if the dependency is transitive. A dependency of next.js, which is a dependency of gravitino, is still an dependancy.

Can you tell me how you build step 1. Note you could use something like find . -exec grep caniuse {} \; to look at all files.

[LauraXia123]

1. It show that caniuse-lite is used in next production, not gravitino production. A dependency of next.js, which is a indirect dependency of gravitino. The indirect dependency maybe work for the final app project, maybe not. To analyze build files mapping the source code is to prove that is not there.
2. I modified the build file configuration entry a bit in next.config.js
const nextConfig = { ...(isProdEnv ? {} : { async rewrites() { return { fallback: [ { source: '/api/:path*', destination: ${apiUrl}/api/:path*}, { source: '/configs', destination:${apiUrl}/configs}, { source:${oauthPath}, destination: ${oauthUri}${oauthPath} } ] } } }), output: process.env.OUTPUT_MODE || 'standalone', basePath: process.env.BASE_PATH, distDir: process.env.DIST_DIR, trailingSlash: false, reactStrictMode: true, productionBrowserSourceMaps: true, webpack: (config, { isServer }) => { if (!isServer) { // disable TerserPlugin config.optimization.minimizer = [] // disable Tree Shaking config.optimization.usedExports = false // disable code segmentation config.optimization.splitChunks = false // reserved module paths config.output.devtoolModuleFilenameTemplate = function (info) { return 'file:///' + encodeURI(info.absoluteResourcePath) } } return config } }
   and run pnpm dist, it will work.

above is the result by find ./dist/ui -exec grep caniuse {} \;, Is this as expected?

[justinmclean]

I think we now have enough to show caniuse lite is not currently in our release. We will need to keep a careful eye on this as it may be possible for it to end up being in a future release.