Open Source License Audit
Software Bill of Materials (SBOM) and license compliance review of the Aldric platform
Version 1.0 — As of: March 2026
This document records the open source dependencies of the Aldric platform (Software Bill of Materials, SBOM), assesses license risks and ensures that all components are used in compliance with their respective licenses. Particular attention is paid to copyleft licenses (AGPL, GPL, LGPL) that could impact the licensing of the overall platform.
This audit was prepared as part of the compliance review of CONPORT Services GmbH and will be updated when significant dependency changes occur. It does not constitute legal advice from a specialized IT attorney.
Part A: Platform Architecture and Components
Section 1 — System Overview
The Aldric platform is built as a modular monolith and consists of four main components plus container-based infrastructure:
| Component | Technology | Function |
|---|---|---|
| Backend | NestJS 11, TypeScript 5 | REST API, business logic, tenant isolation |
| Frontend | React 19, Vite, TypeScript | Single-page application, user interface |
| Marketing Site | Astro 5, Tailwind CSS | Static website, documentation |
| Monitoring | Express, WebSocket, React | Internal monitoring dashboard |
| Infrastructure | Docker, PostgreSQL, Redis, Keycloak, MinIO | Database, cache, auth, object storage |
Section 2 — Dependencies by Numbers
| Component | Production Dependencies | Development Dependencies |
|---|---|---|
| Backend (NestJS) | 53 | 27 |
| Frontend (React) | 10 | 23 |
| Marketing (Astro) | 6 | 7 |
| Monitoring | 7 | 8 |
| Total | 76 | 65 |
Part B: License Classification
Section 3 — License Categories
Open source licenses can be classified into three risk categories:
| Category | Risk | Licenses | Impact |
|---|---|---|---|
| Permissive | Low | MIT, Apache 2.0, BSD, ISC, 0BSD | Free use in proprietary software, license notice required |
| Weak Copyleft | Medium | LGPL, MPL 2.0, EPL | Modifications to the library must be published, own code remains proprietary |
| Strong Copyleft | High | GPL, AGPL | Entire derivative work must be released under the same license |
Section 4 — License Analysis Results
Result: No AGPL or GPL dependencies in production code
All direct production dependencies of the Aldric platform use permissive licenses (MIT, Apache 2.0, BSD, ISC). No strong copyleft licenses (AGPL, GPL) were identified in production code.
License Distribution (Production Dependencies)
| License | Package Count | Share | Risk |
|---|---|---|---|
| MIT | ~60 | ~79% | Low |
| Apache 2.0 | ~10 | ~13% | Low |
| BSD (2-/3-Clause) | ~4 | ~5% | Low |
| ISC | ~2 | ~3% | Low |
| AGPL / GPL | 0 | 0% | — |
Part C: AGPL Review (Focus: MinIO)
Section 5 — MinIO Background
MinIO is an S3-compatible object storage and a central infrastructure component of the Aldric platform. MinIO has changed its license multiple times:
| Period | License | Impact |
|---|---|---|
| Until 2018 | Apache 2.0 | Permissive, no restrictions |
| 2018 — 2021 | AGPL 3.0 | Copyleft, network clause |
| From April 2021 | GNU AGPL v3 (Server) / Apache 2.0 (SDK) | Dual license, SDK remains permissive |
Section 6 — MinIO Usage in Aldric
Result: No AGPL risk
Aldric uses MinIO exclusively through the official JavaScript SDK (minio@8.0.6),
which is licensed under Apache License 2.0. The MinIO server runs
as a separate Docker container and is not embedded in the Aldric source code.
| Aspect | Detail | License |
|---|---|---|
| SDK (npm package) | minio@8.0.6 | Apache 2.0 — permissive |
| Server (Docker) | minio/minio:latest | AGPL 3.0 — runs in isolation |
| Integration | S3-compatible API via HTTP | No code linking |
| Embedding | None — separate process | Not a derivative work |
Legal assessment: Since MinIO is accessed as an independent service through a standardized API (S3 protocol) and is not embedded in the application code, no "derivative work" is created under prevailing legal interpretation of the AGPL. The AGPL license of the server therefore has no impact on the licensing of the Aldric platform.
Section 7 — Alternative Storage Support
Aldric implements an adapter pattern for object storage and supports the following alternatives to MinIO:
- AWS S3 —
@aws-sdk/client-s3(Apache 2.0) - Azure Blob Storage —
@azure/storage-blob(MIT) - Google Cloud Storage —
@google-cloud/storage(Apache 2.0)
Customers with AGPL concerns can alternatively use a purely proprietary cloud storage provider without any changes to the Aldric platform.
Part D: Infrastructure Components
Section 8 — Docker Services
The following services run as independent Docker containers and are not embedded in the Aldric source code:
| Service | Image | License | Risk |
|---|---|---|---|
| PostgreSQL | pgvector/pgvector:pg17 | PostgreSQL License (BSD-like) | Low |
| Redis | redis:7-alpine | Redis Source Available License (RSAL 2.0) / SSPL | Medium |
| Keycloak | quay.io/keycloak/keycloak | Apache 2.0 | Low |
| MinIO | minio/minio:latest | AGPL 3.0 | Medium (isolated) |
| Mailhog | mailhog/mailhog | MIT | Low (dev only) |
| Prometheus | prom/prometheus | Apache 2.0 | Low |
| Grafana | grafana/grafana | AGPL 3.0 (OSS) / Elastic License (Enterprise) | Medium (isolated) |
Note on Redis and Grafana
Redis: Since version 7.4, Redis uses the RSAL 2.0 / SSPL dual license.
As Redis is used as a separate container service (no code embedding), there is
no copyleft risk. Alternatively, Valkey
(BSD-licensed Redis fork) can be used.
Grafana: Grafana OSS is licensed under AGPL 3.0. As a standalone
monitoring dashboard without code integration, no derivative work is created.
Part E: Core Dependencies by Category
Section 9 — Backend (NestJS)
| Package | Version | License | Purpose |
|---|---|---|---|
@nestjs/core | ^11.0.1 | MIT | Application framework |
@prisma/client | ^5.22.0 | Apache 2.0 | Database ORM |
minio | ^8.0.6 | Apache 2.0 | Object storage SDK |
stripe | ^18.5.0 | MIT | Payment processing |
bullmq | ^5.67.1 | MIT | Message queue |
ioredis | ^5.10.0 | MIT | Redis client |
passport | ^0.7.0 | MIT | Authentication |
puppeteer | ^24.36.0 | Apache 2.0 | PDF generation |
class-validator | ^0.14.3 | MIT | Input validation |
winston | ^3.19.0 | MIT | Logging |
handlebars | ^4.7.8 | MIT | Template engine |
nodemailer | ^7.0.13 | MIT | Email delivery |
Section 10 — Frontend (React)
| Package | Version | License | Purpose |
|---|---|---|---|
react | ^19.2.0 | MIT | UI framework |
react-dom | ^19.2.0 | MIT | DOM rendering |
react-router-dom | ^7.13.0 | MIT | Client routing |
i18next | ^25.8.0 | MIT | Internationalization |
recharts | ^3.7.0 | MIT | Charts and graphs |
xlsx | ^0.18.5 | Apache 2.0 | Excel export |
dompurify | ^3.3.1 | Apache 2.0 / MPL 2.0 | XSS protection, HTML sanitization |
Section 11 — Marketing Site (Astro)
| Package | Version | License | Purpose |
|---|---|---|---|
astro | ^5.5.0 | MIT | Static site generator |
@astrojs/tailwind | ^6.0.2 | MIT | CSS framework integration |
tailwindcss | ^3.4.17 | MIT | Utility CSS framework |
nodemailer | ^8.0.1 | MIT | Contact form delivery |
Part F: Risk Assessment and Recommendations
Section 12 — Risk Assessment Summary
| Area | Risk | Rationale |
|---|---|---|
| npm dependencies (production code) | Low | 100% permissive licenses (MIT, Apache 2.0, BSD) |
| MinIO SDK | Low | Apache 2.0 — no copyleft |
| MinIO Server | Medium | AGPL 3.0, but isolated container — not a derivative work |
| Redis Server | Medium | RSAL 2.0 / SSPL, but isolated container — alternative: Valkey |
| Grafana | Medium | AGPL 3.0, but isolated monitoring tool |
| PostgreSQL | Low | PostgreSQL License (BSD-like) |
| Keycloak | Low | Apache 2.0 |
Section 13 — Recommendations
Immediate Measures (Implemented)
- Maintain AGPL isolation: MinIO, Grafana and Redis run as independent Docker containers. No direct code embedding.
- Verify SDK licenses: All npm SDKs use permissive licenses. The MinIO JavaScript SDK is Apache 2.0, not AGPL.
- Adapter pattern: Aldric supports multiple storage backends (AWS S3, Azure Blob, Google Cloud), so MinIO is not mandatory.
Ongoing Measures
- Monitor dependency updates: Review license of each package on major dependency updates. License changes can occur even in minor/patch updates.
- Automated license checking: Integrate a tool like
license-checkerorlicenseeinto the CI/CD pipeline to automatically detect license changes. - Update SBOM regularly: This document should be updated with every major dependency change or at least quarterly.
- Evaluate Valkey as Redis alternative: For concerns about the Redis RSAL/SSPL license, the BSD-licensed fork Valkey can be used as a drop-in replacement.
Section 14 — License Notice Obligations
The following obligations arise from the permissive licenses used:
| License | Obligation | Implementation |
|---|---|---|
| MIT | Retain copyright notice and license text | Included in node_modules, in NOTICES file for dist builds |
| Apache 2.0 | Retain copyright notice, license text, NOTICE file; mark modifications | Included in node_modules, NOTICE aggregation planned |
| BSD | Retain copyright notice and license text | Included in node_modules |
| ISC | Retain copyright notice and license text | Included in node_modules |
Contact
For questions regarding open source licenses or the SBOM of the Aldric platform, please contact:
CONPORT Services GmbH
Alte Benninghofer Str. 24
44263 Dortmund, Germany
Email: info@conport.services