It depends.
At least one of these (`Server Side Public License 1.0`) is a source-available license, not OSI-approved open source. Combination terms depend on the specific clauses of the source-available license — review the upstream's FAQ and consult a lawyer before redistributing or running as a service.
| License | Family | Patent grant |
|---|---|---|
| Server Side Public License 1.0 (SSPL-1.0) | source-available | No (implicit at most) |
| GNU Lesser GPL v2.1 (LGPL-2.1) | weak-copyleft | No (implicit at most) |
Server Side Public License 1.0: MongoDB's source-available license; targets SaaS providers with strong copyleft over the entire service stack.
GNU Lesser GPL v2.1: Library copyleft: dynamic linking permitted from non-LGPL code without triggering full copyleft.
If you found this page because you're trying to figure out whether shipping a particular dependency is safe, the answer above is a starting point — not a substitute for reading the actual licenses or talking to a lawyer when stakes are high.
LicenseHound walks every transitive dependency in your repo, maps each to its SPDX license, and flags pairs like this one in PR comments. The CLI is free; the team dashboard is paid.