The Hidden Open Source Exposure in Production

Most license risk is not introduced by a new download. It is already present in the software you ship and operate today. A component you adopted years ago under a permissive license may have relicensed since. A library you never chose, pulled in transitively by something you did, may carry copyleft obligations your release process never accounted for. None of this shows up when systems are running normally, which is exactly why it is hidden. It surfaces only when a vendor writes, an auditor asks, or a deal forces the question, and by then the cheapest moment to act has passed.

Why production is where the open source exposure hides

Production is the blind spot because attention moves on once software works. The dependency that was reviewed at adoption is rarely reviewed again, even though its license can change underneath you. A team treats a tool as settled plumbing, and the license state of that plumbing drifts out of anyone's view. The exposure is not that something broke. It is that the terms governing working software changed while the software kept working, and no signal told anyone to look.

The relicensing wave of recent years made this concrete. As of August 2023, HashiCorp moved Terraform, Vault, Consul, Nomad, and Packer to the Business Source License 1.1, which restricts competitive production use and converts to an open license after a delay, commonly four years. Redis moved to a dual model with the Server Side Public License as of March 2024. Elasticsearch and Kibana moved to the Server Side Public License and the Elastic License as of 2021. MongoDB moved to the Server Side Public License in 2018. In each case the new terms applied to software many enterprises were already running. The exposure was created on the day the license changed, not on the day someone noticed.

Source available is not open source

A large part of the hidden exposure comes from treating source available licenses as if they were open source. They are not. The Business Source License and the Server Side Public License are not approved by the Open Source Initiative. You can read the code, but the rights are restricted. The Business Source License limits competitive production use. The Server Side Public License attaches far reaching obligations to anyone who offers the software as a service. A dependency that an engineer logged as open source years ago may now sit under terms that carry real restrictions, and the inventory entry that still reads permissive is itself part of the exposure.

The blast radius of a single relicensed component

A relicensed component is rarely contained to one place. It is wired into pipelines, baked into base images, depended on by services that other services depend on in turn. The blast radius is everything that touches it, directly or transitively, and it is usually far wider than the single line in a manifest suggests. A library that looks like one dependency can sit beneath a dozen products and dozens of teams. Sizing the real exposure means tracing that radius, not counting manifest entries. We cover the mechanics of indirect dependencies in transitive dependencies and hidden license risk.

The width of the blast radius is also what determines the cost to fix it. A component that touches one service is a contained change. A component that touches forty teams is a program of work. Knowing which you are dealing with is the difference between a measured plan and a panic. We break down how that cost is estimated in the cost to cure open source license risk.

How to map the hidden exposure

Finding hidden exposure is a mapping problem, not a guessing one. The method is to resolve the full dependency graph, direct and transitive, reconcile it against what is actually deployed, and confirm the current license state of every node against primary sources, dated, because this is a fast moving area. Where a component has relicensed, you trace what it touches and record the blast radius. The output is a dependency tree with a license verdict on every node, ranked by exposure, so the few findings that matter rise to the top and the rest are set aside. An open source license risk assessment produces exactly this map, and the broader discipline sits on the open source license risk pillar.

The relicensing events themselves are worth understanding in detail, because the obligations differ sharply between the Business Source License and the Server Side Public License. We explain one of the most consequential in the Server Side Public License explained.

Acting before the exposure surfaces

The reason to map production exposure now, rather than when it surfaces, is leverage. Before a vendor letter arrives, you have every option: stay on a pre change version, move to a community fork such as OpenTofu, Valkey, or OpenSearch, negotiate a commercial license from your own usage numbers, or remove the dependency. After the letter, the conversation is on the vendor's terms and the clock is theirs. The exposure does not grow because anyone did anything wrong. It grows because every release adopted under new terms and every team that builds more on top raises the cost to cure. Mapping early keeps the cost low and the options open.

We are independent and buyer side. We take no vendor fees and resell no software, so the map and the recommendation reflect your risk and nothing else, including when the honest answer is that a given component is fine and needs no action. This is commercial and licensing risk advisory, not legal advice. For interpretation of specific license terms and your compliance position, engage your own counsel.