2.0 KiB
2.0 KiB
| id | slug | title | status | kind | priority | labels | workflow_state | created_at | updated_at | assignee | legacy_ticket | |||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 20260601-123641-dependency-license-audit | dependency-license-audit | Audit external dependencies and license posture | open | task | P2 |
|
planning | 2026-06-01T12:36:41Z | 2026-06-01T13:08:45Z | null | null |
Background
Before public MIT release, Yoi needs a focused audit of external dependencies and their licenses. The goal is not to remove every dependency, but to identify heavy or weakly-justified dependencies, dependencies that are easy to replace with simpler code or existing transitive functionality, and any licensing or notice obligations that conflict with an MIT release posture.
This is an investigation/audit ticket. It should produce an actionable report rather than immediate dependency changes.
Requirements
- Inventory Rust crate dependencies from
Cargo.lock/ workspace metadata, including direct vs transitive status where practical. - Identify direct dependencies that appear heavy, barely used, redundant, or plausibly replaceable.
- Check license metadata for direct and transitive Rust dependencies and flag unknown, copyleft, non-standard, or notice-relevant licenses.
- Inspect Nix/runtime/system dependencies declared by
flake.nix,package.nix, anddevshell.nixat a high level. - Distinguish release blockers from advisory cleanup opportunities.
- Do not read ignored secret-like file contents.
- Do not modify dependency manifests as part of this ticket unless explicitly approved later.
Acceptance criteria
- An artifact report is written under this ticket with:
- dependency inventory methodology;
- direct dependency list with rough purpose/usage notes;
- heavy/redundant/replaceable dependency candidates;
- license compatibility findings for an MIT publication posture;
- Nix/system dependency notes;
- recommended follow-up tickets, if any.
- Report clearly marks any release blockers vs non-blocking cleanup.
- Validation/evidence commands used for the audit are recorded.