So, in testing how to do the license filtering, I create a new feed called test of type npm. I add a feed connector to https://registry.npmjs.org. This works great.
The issue comes when I try a set up a License Filter. Based on the help in the dialog box, I am under the impress is either wide-open, or a white-list, i.e. only the licenses listed are allowed. However, when I enter a bogus URL to test (call it https://www.google.com), and run an npm install socketio which is under ICS license, it still will install, along with the rest of the dependencies which are a mix of BSD-3-Clause, MIT, and ISC.
Now, most of the package.json files simply have a line like:
and not an actual URL, but one, configya, does in fact contain a URL pointing to the MIT license over at opensource.org.
So, what am I doing wrong, or is the software does not work that way?