gabriel / musehub public
license-audit.md markdown
65 lines 2.8 KB
Raw
sha256:d035733f21ccff27735fddebfbbe0ed24565a32a22db8de5885402262671ecd2 chore: bump version to 0.2.0rc15 for musehub#113 fix release Sonnet 4.6 patch 15 days ago

MuseHub Dependency License Audit

Date: 2026-04-05 MuseHub version: current

This document records the license of each direct dependency. All licenses listed are compatible with MuseHub's distribution model (server-side SaaS deployment, not binary redistribution).


Direct Dependencies

Package Version range License OSI approved Notes
fastapi >=0.135.1 MIT Yes Web framework
jinja2 >=3.1.6 BSD-3-Clause Yes HTML templating
aiofiles >=25.1.0 Apache-2.0 Yes Async file I/O
uvicorn >=0.42.0 BSD-3-Clause Yes ASGI server
httpx >=0.28.1 BSD-3-Clause Yes Async HTTP client
pydantic >=2.12.5 MIT Yes Data validation
pydantic-settings >=2.13.1 MIT Yes Settings management
websockets >=15.0.1 BSD-3-Clause Yes WebSocket support
sqlalchemy >=2.0.48 MIT Yes ORM + async DB
asyncpg >=0.31.0 Apache-2.0 Yes PostgreSQL async driver
alembic >=1.18.4 MIT Yes DB migrations
psycopg2-binary >=2.9.10 LGPL-3.0 Yes PostgreSQL driver; LGPL applies only to the library itself, not to application code linking it dynamically
slowapi >=0.1.9 MIT Yes Rate limiting
cryptography >=46.0.5 Apache-2.0 AND BSD-3-Clause Yes Ed25519 / Fernet
boto3 >=1.42.71 Apache-2.0 Yes AWS SDK (S3, CloudWatch)
mido >=1.3.3 MIT Yes MIDI parsing
pyyaml >=6.0.2 MIT Yes YAML parsing
mistune >=3.0.0 BSD-3-Clause Yes Markdown rendering
typer >=0.15.4 MIT Yes CLI framework
msgpack >=1.1 Apache-2.0 Yes Binary serialization

Notable Notes

psycopg2-binary (LGPL-3.0)

LGPL-3.0 requires that users be able to replace the LGPL library with a modified version. In a SaaS deployment where we do not distribute binaries to end users, the LGPL dynamic-linking exception effectively means there are no obligations beyond attribution. No action required.

cryptography (Apache-2.0 + BSD-3-Clause)

The cryptography package bundles OpenSSL (Apache-2.0) and its own Python layer (BSD-3-Clause). Both are permissive. No action required.


Transitive Dependencies

Transitive licenses are not audited individually in this document. The key constraints are:

  • We have no GPL-2.0-only transitive dependencies (which would require open-sourcing our application code).
  • LGPL transitive dependencies are acceptable under the dynamic-linking exception for server-side SaaS.
  • All MIT, Apache-2.0, BSD-2/3-Clause transitive dependencies are unrestricted.

Run pip-licenses --from=mixed --format=markdown to generate a full transitive audit.


Review Schedule

This audit should be updated whenever a new direct dependency is added or a major version is bumped. Target: quarterly review.

Next review: 2026-07-05

File History 11 commits
sha256:d035733f21ccff27735fddebfbbe0ed24565a32a22db8de5885402262671ecd2 chore: bump version to 0.2.0rc15 for musehub#113 fix release Sonnet 4.6 patch 15 days ago
sha256:0032d6cfa33bc3c8367436ad768e7dd0e339b4332153160247da8266cb5fa352 Merge branch 'task/version-tags-phase3-server' into dev Human 17 days ago
sha256:4669620efda9ff41c55bdefd1f7bfe1c239d468428744c84ead9957e5a003a53 merge: rescue snapshot-recovery hardening (c00aa21d) into d… Opus 4.8 minor 30 days ago
sha256:a59da49c4611b970fc4b6ae48678ce4943261c213a07ddbd73ce9201df869b4a fix: remove false-positive proposal_comments index drop fro… Sonnet 4.6 patch 34 days ago
sha256:0a240d6dbff234f07d98a28a4a9a68db702f3f9ff9260196f24219bdb1c0b6f3 feat: render markdown mists as HTML with heading anchor links Sonnet 4.6 patch 35 days ago
sha256:24a7d47486ebc4ebd1832830580e177ec6f877b48dced8c000e198cdec4ce9d6 Merge 'task/bump-version-rc12' into 'dev' — proposal: Bump … Human 36 days ago
sha256:b9ff931d147e0114a1f17060f415b89ed551c170a91ff226c70437aa5c85f9ee Merge 'task/bump-version-rc12' into 'dev' — proposal: Bump … Human 36 days ago
sha256:d1122d21e73471879b460037b22c0b50fded7c423444a176f248428f75dac39c Merge 'task/fix-issue-pagination-cursor' into 'dev' — propo… Human 36 days ago
sha256:01e18975e73d2b3cd5b6db7929c895bef9aa6e0d4391dc5b2adfc548b41318dd Merge 'feat/adding-debug-logs-to-staging' into 'dev' — prop… Human 36 days ago
sha256:6b1949fc2797ca4c1936a637a4cbfec828ef56cf52398a2e74ca3c4f494e728f fix: use wire_bytes not mpack_bytes_raw in compute_object_b… Sonnet 4.6 patch 48 days ago
sha256:b99f2455dc346966d040133f5203297e6e3ef5803a93728a2c30568d0a0f7583 rename: delta_add → delta_upsert across wire format, models… Sonnet 4.6 patch 50 days ago