Skip to content

[BUG] LicenseRef-scancode-public-domain AND Unlicense classified as Incompatible license #1049

New issue
New issue
Open
Open
[BUG] LicenseRef-scancode-public-domain AND Unlicense classified as Incompatible license#1049
Labels
bugSomething isn't working
@nicorikken

Description

@nicorikken
nicorikken
opened on Feb 11, 2026

Describe the bug
big-integer 1.6.52 triggers an 'Incompatible License' even though we explicitly put the license combination (LicenseRef-scancode-public-domain AND Unlicence) explicitly on the allow-licenses list. It also shows up on the 'Allowed licenses' list.

Image

To Reproduce
Repository with this package-lock.json:

{
  "name": "test-dploy-yvo",
  "version": "1.0.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "test-dploy-yvo",
      "version": "1.0.0",
      "license": "ISC",
      "devDependencies": {
        "@types/node": "^20.10.0",
        "typescript": "^5.3.0"
      }
    },
    "node_modules/@types/node": {
      "version": "20.19.31",
      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.31.tgz",
      "integrity": "sha512-5jsi0wpncvTD33Sh1UCgacK37FFwDn+EG7wCmEvs62fCvBL+n8/76cAYDok21NF6+jaVWIqKwCZyX7Vbu8eB3A==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "undici-types": "~6.21.0"
      }
    },
    "node_modules/typescript": {
      "version": "5.9.3",
      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz",
      "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
      "dev": true,
      "license": "Apache-2.0",
      "bin": {
        "tsc": "bin/tsc",
        "tsserver": "bin/tsserver"
      },
      "engines": {
        "node": ">=14.17"
      }
    },
    "node_modules/undici-types": {
      "version": "6.21.0",
      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz",
      "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==",
      "dev": true,
      "license": "MIT"
    }
  }
}

Run a check with partial config:

allow-licenses:
  - LicenseRef-scancode-public-domain AND Unlicense

Expected behavior
It would not show up in the comment.

Screenshots
If applicable, add screenshots to help explain your problem.

Action version
What version of the action are you using in your workflow?

Download action repository 'actions/dependency-review-action@v4.8.2' (SHA:3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261)

Note: if you're not running the latest release please try that first!

Examples
If possible, please link to a public example of the issue that you're encountering, or a copy of the workflow that you're using to run the action.

If you have encountered a problem with a specific package (e.g. issue with license or attributions data) please share details about the package, as well as a link to the manifest where it's being referenced.

Additional context
Add any other context about the problem here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions