You'd think it's clear, and yet I've joined projects where software with such terms was included in production builds because "it was downloaded with npm so it's open source."
And having a user certify that they read a license agreement. I'll leave it to lawyers to talk about whether a user actually agrees to a license when they run "npm install", but Oracle's site at least requires the user to accept the license agreement by physically clicking a button. And I've worked at a lot of companies that drill into you that you do not click that button without approval from legal.
I get your point, but npm has the same issue even if you didn't accept the license. I mean, if you didn't accept the license that it comes with, then what license gives you a right to use it at all?
IMO, there's an argument that you implicitly license others in making your code available in a package manager such as NPM which requires no authentication or license clickthrough to incorporate code in your project, unlike the .net or other PMs where license terms are presented and require click-through agreement.
Not saying anyone should stake any bets on that argument winning, just that it wouldn't likely be summarily dismissed in court and would at the very least factor into the damages calculation.
Will be interesting to see if any cases like this ever get adjudicated and precedent set.
What implicit license, though? GPL? BSD? Something else? I feel like developers have a tendency to gloss over these things as if all FOSS licenses are the same, but they really aren't.
You'd think it's clear, and yet I've joined projects where software with such terms was included in production builds because "it was downloaded with npm so it's open source."