[License Exception Request] [nextjs/sharp-libvips] [LGPL-3.0]

[sam-heilbron]

For which CNCF project are you requesting exceptions?

https://github.com/kagent-dev/kagent, though this applies to all CNCF projects

Are you an official maintainer of this project?

No

List of components requiring an exception

Component	Upstream URL	Project Usage URL	License(s)	Purpose
sharp-lipvips	https://github.com/lovell/sharp	https://github.com/kagent-dev/kagent/blob/79f75775c1e6310dca9bccc287395456e7fc9d2a/ui/package.json#L41	Sharp dynamically links with libvips under the terms of LGPL 3, which is compatible with Apache 2.0. The Nextjs framework includes Sharp as a dependency, in later versions. As outlined in kagent-dev/kagent#1150, the kagent project is susceptible to a CVE by remaining on the earlier versions of NextJS

Are all of the components mandatory dependencies for the project to function as intended?

Yes

If no, please explain

No response

How will the components be included in or with the project's code and distributions?

• Incorporated code
• Vendored component
• Build-time dependency
• Build and test tooling
• Install-time dependency
• Required upstream dependencies
• Other (please describe below)

If any of the above selections don't apply to all of the components listed in the table above, please explain

No response

Which of the following best describes how the components interact with the project's own code?

• Static linking: e.g., compiled together with project code into a single binary
• Dynamic linking: e.g., compiled into a separate binary, running together with project code in a single address space at run-time
• Separate process: e.g., separate executable running in a different process space, interacting with project code only via mechanisms such as pipes, sockets, etc.
• Network interaction only: e.g., logically separated over a network and communicating only via mechanisms such as network API call, exchanging JSON data, etc.
• Other (please describe below)

If any of the above selections don't apply to all of the components listed in the table above, please explain

No response

Will any of the components be modified?

No

If yes, please specify which components will be modified, and briefly describe the purpose and nature of the modifications.

No response

Will the project be seeking to contribute the modifications back to the upstream project?

None

[sam-heilbron]

kagent, and any other projects using NextJS import next as a direct dependency: https://github.com/kagent-dev/kagent/blob/79f75775c1e6310dca9bccc287395456e7fc9d2a/ui/package.json#L41.

Due to a CVE in that version of Next (https://nextjs.org/blog/CVE-2025-66478), kagent-dev/kagent#1150, we are attempting to update the version, though that is flagged by Snyk as a "LGPL-3.0 license " issue for "@img/sharp-libvips-darwin-arm64@1.2.0" -- this comes from the Next.js (package next@15.4.7 and above).

Based on lovell/sharp#4023 (comment) and zoontek/react-native-bootsplash#730 (comment), it appears that this sharp-livips depedency is not in fact an issue.

However, we would appreciate clarification on this before we upgrade to a newer version of NextJS. If this is not a licensing issue, as we suspect, we would appreciate direction on how to avoid having Snyk report the issue.

Thanks!

[jeefy]

Heya! Please do the version upgrade to keep shipping secure code :) That said this will still require us to go through the exception process so we're going to keep this issue open and may have questions soon. If you have any other concerns in the meantime feel free to toss it in here.

[joannalee333]

The Governing Board has approved a blanket exception to enable any CNCF project to use sharp-lipvips under LGPL-2.1 or later or LGPL-3.0, provided that all of the following conditions are met:

• sharp-lipvips is being used as part of Next.js (and not used on a standalone basis);
• Sharp-lipvips is used as a build-time dependency, install-time dependency, or build & test tooling (but not as incorporated code or a vendored component) (see CNCF guidance for how these terms are defined);
• Next.js interacts with the project’s own code via dynamic linking, a separate process, or network interaction (static linking is not approved); and
• sharp-lipvips is used in unmodified form.