{"id":15594360,"url":"https://github.com/orta/heuristics-for-vendoring-mit-code","last_synced_at":"2026-01-07T19:07:55.329Z","repository":{"id":66647084,"uuid":"523712208","full_name":"orta/Heuristics-for-vendoring-MIT-code","owner":"orta","description":"A quick readme covering the cases where you would import code","archived":false,"fork":false,"pushed_at":"2022-08-11T16:17:18.000Z","size":19,"stargazers_count":59,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-02-05T00:29:34.099Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc0-1.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/orta.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-08-11T12:19:36.000Z","updated_at":"2024-10-06T20:52:49.000Z","dependencies_parsed_at":"2023-02-22T17:30:46.127Z","dependency_job_id":null,"html_url":"https://github.com/orta/Heuristics-for-vendoring-MIT-code","commit_stats":{"total_commits":12,"total_committers":1,"mean_commits":12.0,"dds":0.0,"last_synced_commit":"d0e01dd90f6cabe040421cf986732d1f5357e66d"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orta%2FHeuristics-for-vendoring-MIT-code","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orta%2FHeuristics-for-vendoring-MIT-code/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orta%2FHeuristics-for-vendoring-MIT-code/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orta%2FHeuristics-for-vendoring-MIT-code/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/orta","download_url":"https://codeload.github.com/orta/Heuristics-for-vendoring-MIT-code/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246254109,"owners_count":20747948,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-03T00:38:53.881Z","updated_at":"2026-01-07T19:07:50.299Z","avatar_url":"https://github.com/orta.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"## Heuristics for Vendoring MIT Licensed Code\n\nDisclaimer: I am not a lawyer, but I've helped maintain a dependency manager for a decade and this is stuff that comes up.\n\n\u003e The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nIs what you are trying to conform to in the MIT license.\n\nPrefer video? [An overview of different code licenses](https://www.youtube.com/watch?v=0r7JcN3Q_LY) and how to use them in your code in a talk I gave at Artsy 2015. There's a few cool new licenses since then, but nothing you would be using in everyday code.\n\n### So, you want to vendor some code. \n\nThere are roughly 5 ways in which you would do it. It doesn't matter if your code is OSS or closed-source, as the license still applies:\n\n1. **Let your package manager do it for you**. You're always doing this all the time. This works because the package manager includes the license file or references it in the package manifest. \n\n   Not all package managers ensure licensing info exists, so even then you may need to _manually_ verify the license is referenced in their code (I used to use [danger-plugin-yarn](https://github.com/orta/danger-plugin-yarn) to highlight this) \n\n  \n2. **You are copying a few lines of code** or a function. Add a reference comment going back to the original:\n\n    ```ts\n    // Originally taken from shikijs because it was not exported, I've sent a PR upstream\n    // https://github.com/shikijs/shiki/blob/33ae6b97eda78484460ac05b3338bc72a605194a/packages/shiki/src/highlighter.ts#L210\n    // License MIT: https://github.com/shikijs/shiki/blob/33ae6b97eda78484460ac05b3338bc72a605194a/LICENSE\n\n    function isPlaintext(lang: string | null | undefined) {\n        return !lang || ['plaintext', 'txt', 'text'].includes(lang)\n    }\n    ```\n\n    \u003e Note: this is what you're meant to do with code from StackOverflow.\n\n    \u003e Note 2: Referencing the git commit and the original LOC is optional, you **only** need the reference to the license. That said, licenses can change - so this is future-proofing.\n\n    ```ts\n    // Originally from shikijs https://github.com/shikijs/shiki/blob/main/LICENSE\n\n    function isPlaintext(lang: string | null | undefined) {\n        return !lang || ['plaintext', 'txt', 'text'].includes(lang)\n    }\n    ```\n\n    Is totally OK.\n\n\n3. **You are copying a whole file**. You can either: \n   1. Add a reference comment going back to the original. For example in shikijs we have auto-updating themes based on other people's repos. What we do there is:\n\n        ```json\n        {\n        \"_copyright\": \"The MIT License (MIT)\\nCopyright (c) 2015-2022 spgennard\\nSource: https://github.com/spgennard/vscode_cobol/blob/main/syntaxes/COBOL.tmLanguage.json\",\n        \"$schema\": \"https://raw.githubusercontent.com/spgennard/vscode_cobol/main/schemas/tmlanguage.json\",\n        \"fileTypes\": [\n            \"ccp\",\n            \"scbl\",\n            \"cobol\",\n            \n        ```\n    2. Make a folder which includes a full copy of the license, and that specific file:\n\n        ```\n        tree .\n\n        vendor/COBOL\n        ├── LICENSE\n        └── COBOL.tmLanguage.json\n        ```\n        \n      I'd recommend making sure that the license file contains a HTTP link to the original repo also, if it doesn't add a new file for it.\n\n\n4. **You took some code but you changed it so much** that you just want to cover your butt. I did this for [RedwoodJS here](https://github.com/redwoodjs/redwood/blob/0e9754beaaee7fea21cb4f85027f49a41a679795/packages/web/src/components/DevFatalErrorPage.tsx) after taking a library's code, re-writing it to React, making it make sense for Redwood while still kept note of its origins and license:\n\n    ```ts\n    // This file is a hard fork of panic-overlay for RedwoodJS. The original code\n    // is licensed under The Unlicense - https://github.com/xpl/panic-overlay/blob/master/LICENSE\n    // making it fine for embedding inside this project.\n\n    import { useState } from 'react'\n    ```\n\n5. **You have a substantial set of files, or are vendoring a whole project**. You want to put it in its own folder, ensure there is the original license and a link to the original codebase and what commit you took it from (I think you can technically argue that `git submodules` handles this referential part for you if you use that) but something like:\n\n    Then it is totally enclosed, and obvious where this code has come from and who was the original authors:\n\n    ```sh\n    tree .\n\n    vendor/shikijs-monochrome\n    ├── LICENSE\n    ├── index.ts\n    └── README.md\n    ```\n\n    For MIT you _do not_ need to keep track of changes (some licenses do, in those cases use a repo fork with git submodules IMO) you just keep the original reference around.\n\n\n### Things worth keeping in mind\n\nThe code you vendor is licensed at the time you import it. So, make sure to link to the commit at which you vendored the code if you think it may change. For example if v0 -\u003e v8 are MIT and then v9 is GPL, then you can vendor (as MIT) any version prior to the v9 switch.    \n\nAs the 'legality' here is about lawyer-work on interpreting how credit is given, there's a possible argument that you _dont_ even need to link to the license as we collectively agreed upon a [standardized notation](https://spdx.org/licenses/) for licenses ([SPDX](https://spdx.dev)) which means you can write `// MIT (author)` and that _should_ conform to the license for small usage. This works because there's no other \"version\" of the MIT license making it unambiguous, and because contextually we know that this comment is refering to the SPDX shortcut name.\n\nI don't think that level of minimalism is too useful though.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Forta%2Fheuristics-for-vendoring-mit-code","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Forta%2Fheuristics-for-vendoring-mit-code","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Forta%2Fheuristics-for-vendoring-mit-code/lists"}