We are running Licenced 3.3.1 (but we've tried with 3.4.2 as well) in a Go project and one of our transient dependencies were updated and requires a re-review. However ,when we check in the cached record there is no review_changed_license property that we can remove as mentioned in the documentation

We have committed our license cache to sources control and run with the following .licensed.yml file

sources:
  go: true

allowed:
  - apache-2.0
  - bsd-2-clause
  - bsd-3-clause
  - cc0-1.0
  - isc
  - mit
  - unlicensed

reviewed:
  go:
    - github.com/jmespath/go-jmespath
    - github.com/klauspost/compress/**/*
    - github.com/google/**/*
    - golang.org/x/**/*
    - google.golang.org/**/*

It is the github.com/klauspost/compress/ (transient) dependency that is causing us issues at the moment. If we rebuild the cache (without rebuilding it says it's too old and needs to be rebuilt, i.e we get cached dependency record out of date for several records) and run a status check then it says

Errors:
* [REDACTED]/klauspost/compress
  filename: /[REDACTED]/.licenses/go/github.com/klauspost/compress.dep.yml, version: v1.14.1, license: other, allowed: false
    - license needs review: other

The dependency updated from v1.13.6 to v1.14.1.

I can see that it did change the cached record because I can commit a new copy of it to version control after rebuilding the cache. If I look at the cached record it contains this (I removed the actual license text to keep it short)

---
name: github.com/klauspost/compress
version: v1.14.1
type: go
summary: 
homepage: https://pkg.go.dev/github.com/klauspost/compress
license: other
licenses:
- sources: LICENSE
  text: |
- sources: README.md
  text: This code is licensed under the same conditions as the original Go code. See
    LICENSE file.
notices: []

As you can see there's no review_changed_license property in there so, to be honest, we're not even sure how Licensed knows it needs to be reviewed again if we run licensed status more than once?

We are getting the same error on multiple machines

@andreas-hakansson-ingka sorry for the confusion and thanks for the report. TL;DR - the reviewed glob path you called out won't match that dependency. To fix the error you should add github.com/klauspost/compress as a reviewed pattern in addition to the glob you currently have.

The glob pattern you've set up in the reviewed list (github.com/klauspost/compress/**/*) won't match the dependency github.com/klauspost/compress because the **/* ending requires that there is at least one path part after compress. If a dependency isn't seen as being reviewed, it won't be marked as needing re-review. Some examples of different glob patterns and paths they match (or don't) with File.fnmatch? and the options used by licensed in this case 👇

irb(main):001:0> File.fnmatch?("github.com/klauspost/compress/**/*", "github.com/klauspost/compress", File::FNM_PATHNAME | File::FNM_CASEFOLD)
=> false
irb(main):002:0> File.fnmatch?("github.com/klauspost/compress", "github.com/klauspost/compress", File::FNM_PATHNAME | File::FNM_CASEFOLD)
=> true
irb(main):003:0> File.fnmatch?("github.com/klauspost/compress/**/*", "github.com/klauspost/compress/zlib", File::FNM_PATHNAME | File::FNM_CASEFOLD)
=> true
irb(main):004:0> File.fnmatch?("github.com/klauspost/compress/**/*", "github.com/klauspost/compress/gzhttp/writer/gzkp", File::FNM_PATHNAME | File::FNM_CASEFOLD)
=> true

With the additional reviewed path, future changes to the dependency license should trigger the review_changed_license property. Note that the property is only added when any license text values change, an update to the version with no significant changes to the license text will not trigger this scenario.

I'm going to close the issue as I don't believe there's anything to be fixed here, but please feel free to reopen and/or continue the conversation if you disagree 🙇

@andreas-hakansson-ingka 👋 following up, did ☝️ solve your issue?