Primarily look at their licences; I want to make sure the permissive binary doesn't include any copyleft code.
Check Willow in socket.dev as well, it should evaluate all direct and indirect dependencies based on more than just their licences. I specifically want a human to check the licences though.
Hmm I believe we violate the license of the first dependency I see. Mergo's BSD-3-Clause license requires binary redistributions to reproduce the text of its license. I guess we need to vendor all dependencies, script extracting their licenses, and embed them in the binary for printing with
--licenses
or something?
Google's go-licenses tool might be the thing to solve this