Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/davglass/license-checker

Check NPM package licenses
https://github.com/davglass/license-checker

Last synced: 26 days ago
JSON representation

Check NPM package licenses

Lists

README 

        
NPM License Checker

===================



[![Build Status](https://www.travis-ci.org/davglass/license-checker.svg?branch=master)](https://www.travis-ci.org/davglass/license-checker)



*As of v17.0.0 the `failOn` and `onlyAllow` arguments take semicolons as delimeters instead of commas. Some license names contain

commas and it messed with the parsing*



Ever needed to see all the license info for a module and its dependencies?



It's this easy:



```shell

npm install -g license-checker



mkdir foo

cd foo

npm install yui-lint

license-checker

```



You should see something like this:



```

├─ [email protected]

│  ├─ repository: http://github.com/chriso/cli

│  └─ licenses: MIT

├─ [email protected]

│  ├─ repository: https://github.com/isaacs/node-glob

│  └─ licenses: UNKNOWN

├─ [email protected]

│  ├─ repository: https://github.com/isaacs/node-graceful-fs

│  └─ licenses: UNKNOWN

├─ [email protected]

│  ├─ repository: https://github.com/isaacs/inherits

│  └─ licenses: UNKNOWN

├─ [email protected]

│  └─ licenses: MIT

├─ [email protected]

│  ├─ repository: https://github.com/isaacs/node-lru-cache

│  └─ licenses: MIT

├─ [email protected]

│  ├─ repository: https://github.com/isaacs/node-lru-cache

│  └─ licenses: MIT

├─ [email protected]

│  ├─ repository: https://github.com/isaacs/minimatch

│  └─ licenses: MIT

├─ [email protected]

│  ├─ repository: https://github.com/isaacs/minimatch

│  └─ licenses: MIT

├─ [email protected]

│  ├─ repository: https://github.com/isaacs/sigmund

│  └─ licenses: UNKNOWN

└─ [email protected]

   ├─ licenses: BSD

      └─ repository: http://github.com/yui/yui-lint

```



An asterisk next to a license name means that it was deduced from

an other file than package.json (README, LICENSE, COPYING, ...)

You could see something like this:



```

└─ [email protected]

   ├─ repository: https://github.com/visionmedia/debug

   └─ licenses: MIT*

```



Options

-------



* `--production` only show production dependencies.

* `--development` only show development dependencies.

* `--start [path of the initial json to look for]`

* `--unknown` report guessed licenses as unknown licenses.

* `--onlyunknown` only list packages with unknown or guessed licenses.

* `--json` output in json format.

* `--csv` output in csv format.

* `--csvComponentPrefix` prefix column for component in csv format.

* `--out [filepath]` write the data to a specific file.

* `--customPath` to add a custom Format file in JSON

* `--exclude [list]` exclude modules which licenses are in the comma-separated list from the output

* `--relativeLicensePath` output the location of the license files as relative paths

* `--summary` output a summary of the license usage',

* `--failOn [list]` fail (exit with code 1) on the first occurrence of the licenses of the semicolon-separated list

* `--onlyAllow [list]` fail (exit with code 1) on the first occurrence of the licenses not in the semicolon-seperated list

* `--packages [list]` restrict output to the packages (package@version) in the semicolon-seperated list

* `--excludePackages [list]` restrict output to the packages (package@version) not in the semicolon-seperated list

* `--excludePrivatePackages` restrict output to not include any package marked as private

* `--direct look for direct dependencies only`



Exclusions

----------

A list of licenses is the simplest way to describe what you want to exclude.



You can use valid [SPDX identifiers](https://spdx.org/licenses/).

You can use valid SPDX expressions like `MIT OR X11`.

You can use non-valid SPDX identifiers, like `Public Domain`, since `npm` does

support some license strings that are not SPDX identifiers.



Examples

--------



```

license-checker --json > /path/to/licenses.json

license-checker --csv --out /path/to/licenses.csv

license-checker --unknown

license-checker --customPath customFormatExample.json

license-checker --exclude 'MIT, MIT OR X11, BSD, ISC'

license-checker --packages '[email protected];[email protected];[email protected]'

license-checker --excludePackages 'internal-1;internal-2'

license-checker --onlyunknown

```



Custom format

-------------



The `--customPath` option can be used with CSV to specify the columns. Note that

the first column, `module_name`, will always be used.



When used with JSON format, it will add the specified items to the usual ones.



The available items are the following:

- name

- version

- description

- repository

- publisher

- email

- url

- licenses

- licenseFile

- licenseText

- licenseModified



You can also give default values for each item.

See an example in [customFormatExample.json](customFormatExample.json).



Requiring

---------



```js

var checker = require('license-checker');



checker.init({

    start: '/path/to/start/looking'

}, function(err, packages) {

    if (err) {

        //Handle error

    } else {

        //The sorted package data

        //as an Object

    }

});

```



Debugging

---------



license-checker uses [debug](https://www.npmjs.com/package/debug) for internal logging. There’s two internal markers:



* `license-checker:error` for errors

* `license-checker:log` for non-errors



Set the `DEBUG` environment variable to one of these to see debug output:



```shell

$ export DEBUG=license-checker*; license-checker

scanning ./yui-lint

├─ [email protected]

│  ├─ repository: http://github.com/chriso/cli

│  └─ licenses: MIT

# ...

```



How Licenses are Found

----------------------



We walk through the `node_modules` directory with the [`read-installed`](https://www.npmjs.org/package/read-installed) module. Once we gathered a list of modules we walk through them and look at all of their `package.json`'s, We try to identify the license with the [`spdx`](https://www.npmjs.com/package/spdx) module to see if it has a valid SPDX license attached. If that fails, we then look into the module for the following files: `LICENSE`, `LICENCE`, `COPYING`, & `README`.



If one of the those files are found (in that order) we will attempt to parse the license data from it with a list of known license texts. This will be shown with the `*` next to the name of the license to show that we "guessed" at it.