UNPKG

check-licenses

Version:

Check the licenses for the packages that you are using

github.com/franciscop/check-licenses

franciscop/check-licenses

147 lines (118 loc) 5.75 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# Check Licenses [![npx check-licenses](https://img.shields.io/badge/npx-check--licenses-blue.svg)](https://www.npmjs.com/package/check-licenses) [![test badge](https://github.com/franciscop/check-licenses/workflows/tests/badge.svg)](https://github.com/franciscop/check-licenses/blob/master/.github/workflows/tests.yml) A simple tool to check all the licenses in your dependencies: <img src="./assets/demo.webp" alt="Example command" width="400px" /> - Find all dependencies and their sub-dependencies in your project - Validate both the `package.json` and the `LICENSE` file per dependency - Only reads `dependencies` and not `devDependencies` - Uses `package-lock.json` for deterministic resolution - Handles multiple versions of the same library just fine ## Getting started You can either use `npx check-licenses`, or install this library globally and then run it at once: ```bash npm i check-licenses -g licenses # Note how this is just `licenses` licenses --list licenses --help # Or use the library straight from npm npx check-licenses npx check-licenses --list npx check-licenses --help npx --yes check-licenses # To avoid being asked to install it, e.g. in a CI ``` The main command will trigger a license summary: ```bash $ licenses MIT —————————————————— 56 ISC —————————————————— 7 CC0-1.0 —————————————— 4 BSD-2-Clause ————————— 2 Apache-1.0 ——————————— 2 Apache-2.0 ——————————— 2 CC-BY-3.0 ———————————— 1 ``` If you want to dig deeper and see which package uses what license, use the `--list` flag. ## Show the licenses used The base command is to count how many licenses of each type are in use: ```bash $ licenses MIT —————————————————— 1328 ISC —————————————————— 113 CC0-1.0 —————————————— 36 BSD-3-Clause ————————— 36 Apache-2.0 ——————————— 5 BSD-2-Clause ————————— 3 Zlib ————————————————— 1 CC-BY-3.0 ———————————— 1 GPL-2.0 —————————————— 1 ``` ## List all dependencies This can be used to find out what each of our dependencies (direct and indirect) is using. It might list multiple licenses in a single package: ```bash $ licenses --list ... test-exclude@5.2.3 ————————————— ISC text-table@0.2.0 ——————————————— MIT textarea-caret@3.0.2 ——————————— MIT throat@4.1.0 ——————————————————— MIT through@2.3.8 —————————————————— Apache-2.0 + MIT through2@2.0.5 ————————————————— MIT thunky@1.1.0 ——————————————————— MIT timers-browserify@2.0.11 ——————— MIT ... ``` This list is normally quite long, but it can be easily `grep`-ed. For example, to find all of the `Apache-2.0` licenses: ```bash $ licenses --list | grep Apache-2.0 fb-watchman@2.0.1 —————————————— Apache-2.0 forever-agent@0.6.1 ———————————— Apache-2.0 formik@2.1.5 ——————————————————— Apache-2.0 + MIT harmony-reflect@1.6.1 —————————— Apache-2.0 + MPL-1.1 human-signals@1.1.1 ———————————— Apache-2.0 ``` If there are multiple licenses in a library it's marked with a `+`. You can indeed also grep that! ```bash $ licenses --list | grep + ... are-we-there-yet@1.1.5 ————————— ISC + MIT atob@2.1.2 ————————————————————— Apache-2.0 + MIT detect-node@2.0.4 —————————————— ISC + MIT electron-to-chromium@1.3.534 ——— ISC + MIT formik@2.1.5 ——————————————————— Apache-2.0 + MIT fs.realpath@1.0.0 —————————————— ISC + MIT harmony-reflect@1.6.1 —————————— Apache-2.0 + MPL-1.1 json-schema@0.2.3 —————————————— AFLv2.1 + BSD killable@1.0.1 ————————————————— ISC + MIT lodash-es@4.17.15 —————————————— CC0-1.0 + MIT lodash.memoize@4.1.2 ——————————— CC0-1.0 + MIT ... ``` ## Finding bad licenses Let's say you run this tool and find the dependencies, of which you really don't want to follow CC-BY-3.0: ```bash $ licenses DOC —————————————————— 56 MIT —————————————————— 56 ISC —————————————————— 7 CC0-1.0 —————————————— 4 BSD-2-Clause ————————— 2 Apache-1.0 ——————————— 2 Apache-2.0 ——————————— 2 CC-BY-3.0 ———————————— 1 ``` Then you can also use it to track down which dependencies have this license: ```bash $ licenses --list | grep CC-BY-3.0 spdx-exceptions@2.3.0 ——————— CC-BY-3.0 ``` With this information you can either: - Dig deeper: some times it might be dual-licensed - Find out where this comes from with `npm ls`: ```bash $ npm ls spdx-exceptions check-licenses@0.2.0 /home/francisco/check-licenses └─┬ meow@8.0.0 └─┬ normalize-package-data@3.0.0 └─┬ validate-npm-package-license@3.0.4 └─┬ spdx-expression-parse@3.0.1 └── spdx-exceptions@2.3.0 ```