Node-forge license issue as it is installed as dependency

[AshishUpadhyayCivica]

I am facing a problem of licensing((BSD-3-Clause OR GPL-2.0)) when I am using @nrwl/angular.
The issue is regarding one of the package that is installed as part of dependency.
Consider below

So I am installing @nrwl/angular and all of its dependent packages are installed under MIT license except node-forge.
My security scan detects this as problem as we don't want to use BSD-3-Clause license.

I expect the node-forge should be removed as part of dependency of @nrwl/angular as this is creating lot of problems of licensing whilst using @nrwl/angular.

[jfromaniello]

Excuse my ignorance but isnt BSD-3-Clause compatible with MIT ?

[AshishUpadhyayCivica]

Excuse my ignorance but isnt BSD-3-Clause compatible with MIT ?

BSD-3 - GPL v2 are associated with node-forge, and there are difference between these two licenses. I am using a scanning tool which detects the BSD-3 license as potential risk.

The above images gives a glimpse of the error I am facing.
I would welcome if you have any solution or workaround for this problem.

[jfromaniello]

I can see the problem here is that it found GPL-2.0 which is true... but the project is dual licensed and users can use under what licenses they think its apropiate. The tool is not reporting you a problem with BSD-3-clause.

https://github.com/digitalbazaar/forge#contributing

This license allows Forge to be used under the terms of either the BSD License or the GNU General Public License (GPL) Version 2.

[jimmywarting]

Any possibility that we could instead use web crypto instead of node-forge?