DRAFT, pending counsel review. This document is an internal draft prepared on 2026-04-26 by the engineering team. It has NOT been reviewed by external legal counsel. Do not rely on it for legal advice. Effective date is a placeholder pending sign-off. Apostle Pty Ltd makes no representation that this draft satisfies any specific jurisdictional requirement until counsel-reviewed.

Open-Source Notices

Last revised: 2026-04-26 · Version: 0.1.0-draft

1. Acknowledgement

The PYLON service depends on a substantial body of open-source software. We are grateful to the maintainers and contributors of each project listed below. This NOTICE file consolidates the attributions required by the licences under which those projects are distributed.

This notice is generated against the runtime dependencies declared in the workspace package.json files in this repository. It does not enumerate transitive dependencies; the full transitive tree is visible in the lockfile (bun.lock) at the root of the repository and on our public GitHub mirror at https://github.com/apostledigital/pylon (TBD, placeholder until the mirror is established).

For the avoidance of doubt: PYLON's source code is not open source. This document is the attribution layer for the open-source components we incorporate into our service.

2. How to read this document

For each project we include:

• the package name as published to npm or GitHub;
• the version pinned in our workspace at the time of this revision;
• the licence;
• the upstream homepage where you can read the full licence text;
• the required attribution where the licence's notice clause asks for one verbatim.

Where multiple workspaces in this repository depend on the same project at the same version, the project is listed once.

Versions noted are the declared versions in our package.json files at the time of this revision. The lockfile may pin more specific versions; consult bun.lock for the exact resolved versions in any given build.

3. Top-level runtime dependencies

4. Build, tooling and test dependencies

These are devDependencies, used to build, lint, type-check and test PYLON, but not shipped in any production bundle. They are listed for completeness and because some of their licences (BSD) require notice retention even where the binary is not shipped.

5. Mobile-app dependencies (Expo SDK 54)

The PYLON mobile applications are built with Expo SDK 54 and NativeWind v5. Major mobile dependencies:

A complete list is generated at app build time and is available in the About / Open-source notices screen of the installed application.

6. Required notices verbatim

The following projects require a verbatim notice or copyright statement to be reproduced.

MIT licence (template, applies to all MIT-licensed projects above)

Copyright (c) [year] [project authors]

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Apache 2.0 licence (template, applies to Drizzle ORM, TypeScript, @mux/mux-node, Playwright, @lhci/cli)

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Mozilla Public License 2.0 (applies to Satori, axe-core, resvg-js)

This Source Code Form is subject to the terms of the Mozilla Public License, Version 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.

BSD-style licences

Cloudflare's Wrangler and the Workers SDK are dual-licensed under MIT or Apache-2.0; the Apache-2.0 notice above applies. Cloudflare trademarks and brand names remain the property of Cloudflare, Inc.

7. Reporting issues with this notice

If you maintain a project listed here and we have:

• the licence wrong;
• the version wrong;
• the project missing entirely;
• the homepage URL wrong;

please email [email protected] and we will correct the notice in the next revision. We aim to issue notice corrections within 30 days of receipt of a verifiable correction.

8. Generation method

This file is hand-curated against the workspace package.json files in this repository. We use:

jq -r '.dependencies | to_entries[] | "\(.key)|\(.value)"' \
    apps/*/package.json workers/*/package.json packages/*/package.json

…to enumerate the runtime declarations. The list is then deduplicated and licences are looked up against each project's LICENSE file in its repository.

A future automation pass (TBD) will generate this notice mechanically on each release.

Related

• Terms of Service
• Privacy Policy

Contact

• OSS notice corrections: [email protected]
• Public mirror: https://github.com/apostledigital/pylon (TBD)

Version history