The CI pipeline is different because for a module to end up as a dependency in the CI pipeline, it had to be explicitly selected by a person first to be included in the package file or manifest. There was intentionality and awareness that the software was included.
A person already pre-consented to the licenses of all the software which the pipeline downloaded. Big companies go through those dependency lists carefully already and remove those which do not meet their policies. This is a very intentional process.
> for a module to end up as a dependency in the CI pipeline, it had to be explicitly selected by a person first
I disagree. I think it’s entirely within the license to have your pipeline automatically pull in the latest version of a library, even if the new one happens to pull in a new MIT-licensed library (whether that’s a good idea and whether CI pipelines should, somehow, verify that code pulled in has an acceptable license are different discussions)
I also think it’s complete within the MIT license to tell a LLM that it can search for MIT-licensed libraries and use them without asking you.
A person already pre-consented to the licenses of all the software which the pipeline downloaded. Big companies go through those dependency lists carefully already and remove those which do not meet their policies. This is a very intentional process.