@datastream/core is a production dependency

[ehmicky]

Describe the bug
The @datastream/core package is a production dependency.

middy/packages/core/package.json

Line 65 in 4ad95ba

"@datastream/core": "0.0.38"

However, it only seems to be used in tests, i.e. should be a development dependency.

[willfarrell]

Thanks for reporting. To start off #NotALawyer. Technically, @datastream/core is a dependency, a portion of it's code is copied into @middy/core but import is not used to keep the bundle a little lighter. Thus, for SCA it is marked as a dependancy to ensure the license is preserved. If a copyright lawyer would like to chime in or you have an article by one that advises differently, I'm happy to review and adjust my stance on this.

[ehmicky]

Hi @willfarrell,

Thanks for answering. Also, thanks for your hard work in both Middy and @datastream/core! Middy is a very well designed library.

to ensure the license is preserved.

Yes, that's correct! 👍 The MIT license does require copying the contents of the LICENSE:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

However, instead of a production dependency, the LICENSE file of @datastream/core can just be copied as a sibling file. Alternatively, its contents can be appended to the bottom of @middy/core's LICENSE file.