Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you add a dependency without understanding the license that dependency is released under, you should stop doing that. That counts for every license, and particularly if there is no license.


It goes transitively though.

Some popular go packages grab tens (sometimes over hundres, but not as much as in node world) dependencies.

NOBODY checks the license all the transitive dependencies in go world.

What should or should not happen is one thing, this is the reality

edit: oh but that lead me to google this

neat

https://github.com/google/go-licenses


Yes, that's why (apart from the Cyber Resilience Act) license scanners and SBOMs are a thing.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: