Question about the project's licensing with the string/#/normalize/shim.js

[danielfanderson]

Hello, after running a fossa scan the es5-ext in this repo was flagged as have three license ISC from package.json and LICENSE file and then (MIT and GPL-2.0-only) licenses from string/#/normalize/shim.js. First from looking at the string/#/normalize/shim.js file the license is displayed as "Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses" with link to walling/unorm repository. Following to the walling/unorm repository as expected the file has the same notice at the top in listing the licenses. Now following the spdx 3.0 license expressions annexes B both MIT and GPL-2.0 licenses need to be complied with due to the use of "AND" operator.

I am going ask about the GPL-2.0 part of the licenses since the ISC and MIT are both permissive licenses compared with GPL-2.0 being copyleft.

Reading the GPL-2.0 license. Two parts in section 2 stood out being
2b :  You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

Then bellow parts a, b, and c in section 2

These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

With these parts from section 2 above would it be correct to say that when using the es5-ext as a dependency or transitive dependency coming the npm registry that this package would also as a whole be a under a GPL-2.0 license (and the other license) due the string/#/normalize/shim.js being distributed in the package.

While instead say as a thought experiment that if each folder (array, boolean, string, etc) was released as its own package, then every "package" could be license as just under just ISC or another, expect for string which would still need to have a GPL-2.0 license.

Trying check to see if this would a accurate interpretation of how this package's licenses work, when being used as direct dependency or transitive dependency when retrieved from the npm registry.

[medikoo]

I'd say that usage of string/#/normalize/shim.js (direct and indirect) is subject to GPL-2.0 LICENSE.

However, this package hosts many utilities, and this util will remain unused for most scenarios, which in turn qualifies it under ISC/MIT License.