LEXCEPTIO declares AGPL-3.0-only in lockfiles

A commit mislabeled "update dependencies" adds a single `"license": "AGPL-3.0-only"` field to both lockfiles. The fork is asserting its license - and that assertion has downstream consequences for anyone pulling from it.

complianceinfrastructure

The change is one field in each of backend/package-lock.json and frontend/package-lock.json. npm only writes "license" into a lockfile when the root package.json carries it, so this reflects a license declaration in the manifests that got committed via lockfile regen.

AGPL-3.0-only means any SaaS reuse of the code must publish source. If your fork runs under Apache 2.0, MIT, or a proprietary license, mixing in contributions from LEXCEPTIO after this point requires deliberate sign-off from whoever owns your licensing policy.

The commit message ("update dependencies") understates what happened. That's a minor process issue on LEXCEPTIO's side, but it means license changes can slip past reviews that only scan commit subjects.

So what Skip pulling from LEXCEPTIO unless your fork can accept AGPL-3.0-only terms. Worth a look if you're already AGPL or evaluating that direction - the declaration is clean and the two-file change is easy to verify.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

1 commit from LEXCEPTIO/mike, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
61deeb01 update dependencies LEXCEPTIO 2026-05-10 ↗ GitHub

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-225.md from inside the repo you want the changes in.

⬇ Download capture-thread-225.md