Open source license risk for retail.

Retail runs on open source. The storefront search, the cache that keeps pages fast, the database behind inventory and orders, and the automation that builds the infrastructure are all likely to rest on widely adopted projects. Open source license risk for retail is the exposure that appears when one of those projects changes terms, because the obligation lands on software that already serves customers. The relicensing wave hit exactly the components retail relies on most, which is why a stack that felt settled can carry exposure no one has mapped.

Where relicensing exposure hides in a retail stack

The exposure clusters in a few familiar places. Storefront and catalog search very often run on Elasticsearch, which moved from Apache 2.0 to the Server Side Public License and the Elastic License in 2021, with the AWS led fork OpenSearch as the open destination. Caching, session state, and rate limiting frequently use Redis, which moved to a source available model as of March 2024, with the community fork Valkey now available. Infrastructure automation commonly relies on Terraform, which moved to the Business Source License as of August 2023, with the OpenTofu fork as the open path. Each of these is a staple of retail engineering, and each has relicensed, which means a typical commerce stack carries more than one source available component whether or not anyone tracked the change.

Why retail is particularly exposed

Two features of retail concentrate the risk. The first is heavy reliance on a small set of very popular projects, which is precisely the set that has been relicensing. The second is the trading calendar. Peak periods leave little room to schedule a forced migration or to absorb a sudden commercial license demand, and a change freeze around major sales events can run for weeks. A relicense discovered in the run up to a peak is far harder to act on than the same finding mapped months ahead in a quiet window. The cost of a late discovery in retail is measured not only in license fees but in the engineering capacity it pulls away from revenue work at the worst possible time. Source available is not open source, and the restrictions these licenses add are what turn a quiet dependency into a scheduling problem.

How a retailer maps and contains the exposure

The work starts with a complete picture. An open source license risk assessment maps the full dependency tree across the commerce platform, the data layer, and the infrastructure code, and records the current license state of each component rather than the one it carried at adoption. A relicensing exposure review then traces the blast radius of each relicensed component and sizes the cost in board language. Where a change is needed, open source remediation advisory weighs each option, a migration to an open fork such as OpenSearch or Valkey, a commercial license sized to real use, or a configuration change that removes the contested use, and sequences the chosen path around the trading calendar so it lands in a quiet window. A retailer that took this route is described in the retailer that built its first open source license inventory.

Make it a standing capability, not a one off

The relicensing wave is not over, and the next change will land on a stack that has moved on since the last review. Retailers that turn the one off map into a standing capability, with a current inventory and a policy that catches a relicense at intake, spend far less when the next change comes. Building that capability is the work of open source governance and policy, which sets the approval gates and license allowlists that keep a future relicense out of the critical path. The aim is a commerce stack whose license posture is known and defensible at any point in the year, not only after a finding forces the question.