3a2b68706a
There are many packages that are dual-licensed, offering a choice of licenses (e.g. `MIT OR Apache-2.0`). There are some that include code from multiple sources and require multiple licenses (e.g. `MIT AND Apache-2.0`). There are also complex combinations that can exist for a variety of reasons, such as `MIT AND (Apache-2.0 OR BSD-3-Clause)`. The most straightforward approach to handle these is to have an allow list. As long as the licenses on the allow list can satisfy the license expression of the package in question, it should pass. To implement this, I the newest release of spdx-satisfies which changed the interface to be exactly as described `satisfies(license, allowList)` (see https://github.com/jslicense/spdx-satisfies.js/pull/17). Fixes https://github.com/actions/dependency-review-action/issues/263