Update license exception dataset from recently closed licensing issues

license-exceptions/CNCF-licensing-exceptions.csv

@@ -1,4 +1,11 @@
-Package or Category,License Concluded,Project,Scope,Status,Comments,Date Published,Last updated: 2026-06-01
+Package or Category,License Concluded,Project,Scope,Status,Comments,Date Published,Last updated: 2026-06-04
+RemixIcon,Remix Icon License v1.0,Backstage,Not Applicable (Denied),denied,Denied: Remix Icon License v1.0 is not an open source license and is not eligible for exception approval.,2026-05-08,
+axe-core,MPL-2.0,All CNCF Projects,Approved only for unmodified upstream axe-core used as a separated component; intermingled use is not approved.,approved,Blanket exception approved by GB email vote dated 2026-04-09.,2026-04-09,
+picolibc,"BSD-3-Clause, BSD-2-Clause, MIT, BSL-1.0, NCSA, Public Domain / CC0-1.0",Hyperlight,"Approved only for picolibc files under BSD-3-Clause, BSD-2-Clause, MIT, BSL-1.0, NCSA, or Public Domain/CC0-1.0; GPL/AGPL files are excluded and must not be ingested or automatically retrieved.",approved,Approved with explicit exclusion of GPL/AGPL files present in the upstream repository.,2026-04-22,
+github.com/apparentlymart/go-textseg,Unicode-DFS-2016,All CNCF Projects,No scope restrictions,approved,Blanket exception to allow any CNCF project to use go-textseg under Unicode-DFS-2016.,2026-02-18,
+certifi,MPL-2.0,All CNCF Projects,"Allowed only if the dependency is either (a) stored unmodified in a designated third-party folder, or (b) not stored in the CNCF project repository and instead retrieved at installation or build time from the upstream third-party repository or package repository.",approved,Blanket exception for certifi under MPL-2.0.,2026-02-18,
+sharp-lipvips,LGPL-2.1-or-later OR LGPL-3.0-only,All CNCF Projects,"Approved only when used as part of Next.js, in unmodified form, and only as build-time dependency, install-time dependency, or build-and-test tooling; static linking is not approved.",approved,Blanket exception for sharp-lipvips usage via Next.js under specified conditions.,2026-02-18,
+@auth0/quantum-product,Apache-2.0,OpenFGA,Not Applicable (Denied),denied,"Denied: source code was not publicly available, making Apache-2.0 distribution compliance impossible.",2025-12-04,
 eclipse-ee4j/expressly,EPL-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0,Keycloak,"Approved for dynamic linking only (static linking not permitted); furthermore, the dependency must be used in unmodified form",approved,"Default implementation of Jakarta Expression Language 6.0, transitive dependency for Hibernate Validator",2025-01-12,
 libpathrs,MPL-2.0 OR LGPL-3.0-or-later,All CNCF Projects,"Any CNCF project using libpathrs as a statically linked dependency MUST elect to do so under MPL-2.0 (rather than LGPL-3.0) and declare such election in its documentation. Furthermore, to minimize compliance burdens for CNCF projects and downstream users, it is strongly recommended that projects using libpathrs as a dynamically linked dependency also elect to do so under MPL-2.0 (rather than LGPL-3.0). Furthermore, libpathrs must be maintained either (a) in a distinct directory or module clearly separated from CNCF project code, or (b) retrieved at build/installation time from a third-party repository.",approved,Blanket exception: Projects using libpathrs statically linked MUST elect MPL-2.0 and document this. Provides secure path resolution APIs.,2025-01-12,
 go-pathrs,MPL-2.0,All CNCF Projects,"Allowed only if the dependency is either (a) stored unmodified in a designated third-party folder, or (b) not stored in the CNCF project repository and instead retrieved at installation or build time from the upstream third party repository or package repository",approved,Blanket exception: Go bindings for libpathrs. Provides secure path resolution APIs.,2025-01-12,