From 1bfa91710cee1a57819791d3b8bb6d0e00fda3b9 Mon Sep 17 00:00:00 2001
From: Anna Henningsen <anna@addaleax.net>
Date: Fri, 23 Jan 2026 18:58:57 +0100
Subject: [PATCH] fix(sbom-tools): allow BlueOak license

Confirmed by legal on Slack that this is acceptable.
---
 packages/sbom-tools/README.md                                    | 1 +
 packages/sbom-tools/src/commands/generate-third-party-notices.ts | 1 +
 2 files changed, 2 insertions(+)

diff --git a/packages/sbom-tools/README.md b/packages/sbom-tools/README.md
index ba017f92..708b942b 100644
--- a/packages/sbom-tools/README.md
+++ b/packages/sbom-tools/README.md
@@ -129,6 +129,7 @@ The following licenses are allowed:
 - `WTFPL`
 - `OFL-1.1`
 - `Unlicense`
+- `BlueOak-1.0.0`
 
 The validation can be tweaked with a configuration file (by default `${cwd}/licenses.json`). The configuration allows ignoring certain orgs and packages, and overriding licenses for specific dependencies.
 
diff --git a/packages/sbom-tools/src/commands/generate-third-party-notices.ts b/packages/sbom-tools/src/commands/generate-third-party-notices.ts
index 8763f1c2..0f5acc60 100644
--- a/packages/sbom-tools/src/commands/generate-third-party-notices.ts
+++ b/packages/sbom-tools/src/commands/generate-third-party-notices.ts
@@ -28,6 +28,7 @@ const ALLOWED_LICENSES = [
   'WTFPL',
   'OFL-1.1',
   'Unlicense',
+  'BlueOak-1.0.0',
 ];
 
 function checkOverrides(packagesToCheck: string[], dependencies: Package[]) {