Apollo Server has dependency on @axinom/mosaic-service-common 0.3.0 which has 'proprietary' license

Hi , I am using apollo server in my project at my company.
We have found that one of the dependencies of Apollo Server is @axinom/mosaic-service-common which has a proprietary license

The license of @apollo/server package is MIT. Is it ok for Apollo Server to be referring to a dependency with proprietary license?

Has anyone also noticed this and is this something that is going to be looked at ?
Any suggestions on how we can keep using @apollo/server without the dependency.

I just installed @apollo/server 4.10.4 and only get these dependencies:

info Direct dependencies
└─ @apollo/server@4.10.4
info All dependencies
├─ @apollo/cache-control-types@1.0.3
├─ @apollo/protobufjs@1.2.7
├─ @apollo/server-gateway-interface@1.1.1
├─ @apollo/server@4.10.4
├─ @apollo/usage-reporting-protobuf@4.1.1
├─ @apollo/utils.createhash@2.0.1
├─ @apollo/utils.dropunuseddefinitions@2.0.1
├─ @apollo/utils.isnodelike@2.0.1
├─ @apollo/utils.printwithreducedwhitespace@2.0.1
├─ @apollo/utils.removealiases@2.0.1
├─ @apollo/utils.sortast@2.0.1
├─ @apollo/utils.stripsensitiveliterals@2.0.1
├─ @apollo/utils.usagereporting@2.1.0
├─ @apollo/utils.withrequired@2.0.1
├─ @graphql-tools/merge@8.4.2
├─ @graphql-tools/schema@9.0.19
├─ @graphql-typed-document-node/core@3.2.0
├─ @josephg/resolvable@1.0.1
├─ @protobufjs/aspromise@1.1.2
├─ @protobufjs/base64@1.1.2
├─ @protobufjs/codegen@2.0.4
├─ @protobufjs/eventemitter@1.1.0
├─ @protobufjs/fetch@1.1.0
├─ @protobufjs/float@1.0.2
├─ @protobufjs/path@1.1.2
├─ @protobufjs/pool@1.1.0
├─ @protobufjs/utf8@1.1.0
├─ @types/body-parser@1.19.5
├─ @types/connect@3.4.38
├─ @types/express-serve-static-core@4.19.0
├─ @types/express@4.17.21
├─ @types/http-errors@2.0.4
├─ @types/long@4.0.2
├─ @types/mime@1.3.5
├─ @types/node-fetch@2.6.11
├─ @types/range-parser@1.2.7
├─ @types/serve-static@1.15.7
├─ accepts@1.3.8
├─ array-flatten@1.1.1
├─ async-retry@1.3.3
├─ asynckit@0.4.0
├─ body-parser@1.20.2
├─ call-bind@1.0.7
├─ combined-stream@1.0.8
├─ content-disposition@0.5.4
├─ content-type@1.0.5
├─ cookie-signature@1.0.6
├─ cookie@0.6.0
├─ cors@2.8.5
├─ define-data-property@1.1.4
├─ delayed-stream@1.0.0
├─ ee-first@1.1.1
├─ express@4.19.2
├─ finalhandler@1.2.0
├─ form-data@4.0.0
├─ forwarded@0.2.0
├─ get-intrinsic@1.2.4
├─ has-property-descriptors@1.0.2
├─ has-proto@1.0.3
├─ has-symbols@1.0.3
├─ hasown@2.0.2
├─ inherits@2.0.4
├─ ipaddr.js@1.9.1
├─ lodash.sortby@4.7.0
├─ loglevel@1.9.1
├─ long@4.0.0
├─ lru-cache@7.18.3
├─ media-typer@0.3.0
├─ merge-descriptors@1.0.1
├─ methods@1.1.2
├─ mime-db@1.52.0
├─ mime-types@2.1.35
├─ mime@1.6.0
├─ ms@2.0.0
├─ negotiator@0.6.3
├─ node-abort-controller@3.1.1
├─ node-fetch@2.7.0
├─ object-assign@4.1.1
├─ object-inspect@1.13.1
├─ path-to-regexp@0.1.7
├─ proxy-addr@2.0.7
├─ raw-body@2.5.2
├─ retry@0.13.1
├─ safer-buffer@2.1.2
├─ serve-static@1.15.0
├─ set-function-length@1.2.2
├─ sha.js@2.4.11
├─ side-channel@1.0.6
├─ toidentifier@1.0.1
├─ tr46@0.0.3
├─ undici-types@5.26.5
├─ utils-merge@1.0.1
├─ uuid@9.0.1
├─ value-or-promise@1.0.12
├─ vary@1.1.2
├─ webidl-conversions@3.0.1
├─ whatwg-mimetype@3.0.0
└─ whatwg-url@5.0.0

That library doesn’t seem to be a dependency:

% yarn why @axinom/mosaic-service-common
yarn why v1.22.19
[1/4] 🤔  Why do we have the module "@axinom/mosaic-service-common"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
error We couldn't find a match!

Are you sure that it is a dependency and didn’t come in another way?

Thanks for your reply. We are using a SCA tool which has detected its usage at location -

• UnreachableCaseError.js located at node_modules/@apollo/server/dist/cjs/utils

Did you take a closer look at that file? The full contents are (see UNPKG - @apollo/server)

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.UnreachableCaseError = void 0;
class UnreachableCaseError extends Error {
    constructor(val) {
        super(`Unreachable case: ${val}`);
    }
}
exports.UnreachableCaseError = UnreachableCaseError;
//# sourceMappingURL=UnreachableCaseError.js.map

The untranspiled source for that is available at apollo-server/packages/server/src/utils/UnreachableCaseError.ts at main · apollographql/apollo-server · GitHub :

/**
 * Throw this in places that should be unreachable (because all other cases have
 * been handled, reducing the type of the argument to `never`). TypeScript will
 * complain if in fact there is a valid type for the argument.
 */
export class UnreachableCaseError extends Error {
  constructor(val: never) {
    super(`Unreachable case: ${val}`);
  }
}

That are five lines of code that are pretty much the textbook definition on how to implement an error in JavaScript.

You can find very similar code e.g. in this StackOverflow question from 2018 - 3 years before that package you are quoting was released.

This is a false positive in your scanning tool.