LEXCEPTIO declares AGPL-3.0-only in lockfiles
A commit mislabeled "update dependencies" adds a single `"license": "AGPL-3.0-only"` field to both lockfiles. The fork is asserting its license - and that assertion has downstream consequences for anyone pulling from it.
The change is one field in each of backend/package-lock.json and frontend/package-lock.json. npm only writes "license" into a lockfile when the root package.json carries it, so this reflects a license declaration in the manifests that got committed via lockfile regen.
AGPL-3.0-only means any SaaS reuse of the code must publish source. If your fork runs under Apache 2.0, MIT, or a proprietary license, mixing in contributions from LEXCEPTIO after this point requires deliberate sign-off from whoever owns your licensing policy.
The commit message ("update dependencies") understates what happened. That's a minor process issue on LEXCEPTIO's side, but it means license changes can slip past reviews that only scan commit subjects.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?