browser-stdout has an invalid license, which transitively makes mocha a problematic dependency

[honzajavorek]

Prerequisites

• Checked that your issue hasn't already been filed by cross-referencing issues with the faq label

Description

mocha depends on the browser-stdout package, which is problematic, as it does not have proper licensing. It only mentions ICS in the package.json, but that's not satisfactory even by the license itself - see kumavis/browser-stdout#3. The maintainer doesn't seem to be attentive to this problem - kumavis/browser-stdout#4 This transitively makes mocha a problematic dependency as well.

Steps to Reproduce

Inspect the mocha dependency tree for incorrectly licensed packages. Every package should have a license name, full license text, and a copyright notice with a copyright holder.

Expected behavior: [What you expect to happen]

The mocha package depends only on packages with correct licensing.

Actual behavior: [What actually happens]

The browser-stdout package is in the dependency tree as a direct 1st level dependency, and it is not properly licensed. Just license name, but no full license text, no copyright notice with a copyright holder.

Reproduces how often: [What percentage of the time does it reproduce?]

100%

Versions

mocha@5.0.1

[Bamieh]

@honzajavorek thanks for raising this issue. I'll follow up on this by friday if no one did until then.

[honzajavorek]

@Bamieh Is there a way I can help?

[Bamieh]

@honzajavorek I reached out to Aaron on twitter. Hopefully he will be kind enough to give some time to merge the PR and solve this issue. Let's wait and see!

[kumavis]

so sorry 😿
fixed in browser-stdout@1.3.1