Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/franciscop/check-licenses

A simple tool to check all the licenses in your dependencies
https://github.com/franciscop/check-licenses

analyze check legal licenses npm

Last synced: 6 days ago
JSON representation

A simple tool to check all the licenses in your dependencies

Host: GitHub
URL: https://github.com/franciscop/check-licenses
Owner: franciscop
License: mit
Created: 2020-12-04T13:09:55.000Z (almost 4 years ago)
Default Branch: master
Last Pushed: 2022-11-04T09:45:53.000Z (about 2 years ago)
Last Synced: 2024-09-14T22:14:43.162Z (about 2 months ago)
Topics: analyze, check, legal, licenses, npm
Language: JavaScript
Homepage:
Size: 147 KB
Stars: 19
Watchers: 3
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: readme.md
- Funding: .github/FUNDING.yml
- License: LICENSE

Awesome Lists containing this project

README

# Check Licenses [![npx check-licenses](https://img.shields.io/badge/npx-check--licenses-blue.svg)](https://www.npmjs.com/package/check-licenses) [![test badge](https://github.com/franciscop/check-licenses/workflows/tests/badge.svg)](https://github.com/franciscop/check-licenses/blob/master/.github/workflows/tests.yml)

A simple tool to check all the licenses in your dependencies:

Example command

- Find all dependencies and their sub-dependencies in your project
- Validate both the `package.json` and the `LICENSE` file per dependency
- Only reads `dependencies` and not `devDependencies`
- Uses `package-lock.json` for deterministic resolution
- Handles multiple versions of the same library just fine

## Getting started

You can either use `npx check-licenses`, or install this library globally and then run it at once:

```bash
npm i check-licenses -g
licenses # Note how this is just `licenses`
licenses --list
licenses --help

# Or use the library straight from npm
npx check-licenses
npx check-licenses --list
npx check-licenses --help
npx --yes check-licenses # To avoid being asked to install it, e.g. in a CI
```

The main command will trigger a license summary:

```bash
$ licenses
MIT —————————————————— 56
ISC —————————————————— 7
CC0-1.0 —————————————— 4
BSD-2-Clause ————————— 2
Apache-1.0 ——————————— 2
Apache-2.0 ——————————— 2
CC-BY-3.0 ———————————— 1
```

If you want to dig deeper and see which package uses what license, use the `--list` flag.

## Show the licenses used

The base command is to count how many licenses of each type are in use:

```bash
$ licenses
MIT —————————————————— 1328
ISC —————————————————— 113
CC0-1.0 —————————————— 36
BSD-3-Clause ————————— 36
Apache-2.0 ——————————— 5
BSD-2-Clause ————————— 3
Zlib ————————————————— 1
CC-BY-3.0 ———————————— 1
GPL-2.0 —————————————— 1
```

## List all dependencies

This can be used to find out what each of our dependencies (direct and indirect) is using. It might list multiple licenses in a single package:

```bash
$ licenses --list
...
[email protected] ————————————— ISC
[email protected] ——————————————— MIT
[email protected] ——————————— MIT
[email protected] ——————————————————— MIT
[email protected] —————————————————— Apache-2.0 + MIT
[email protected] ————————————————— MIT
[email protected] ——————————————————— MIT
[email protected] ——————— MIT
...
```

This list is normally quite long, but it can be easily `grep`-ed. For example, to find all of the `Apache-2.0` licenses:

```bash
$ licenses --list | grep Apache-2.0
[email protected] —————————————— Apache-2.0
[email protected] ———————————— Apache-2.0
[email protected] ——————————————————— Apache-2.0 + MIT
[email protected] —————————— Apache-2.0 + MPL-1.1
[email protected] ———————————— Apache-2.0
```

If there are multiple licenses in a library it's marked with a `+`. You can indeed also grep that!

```bash
$ licenses --list | grep +
...
[email protected] ————————— ISC + MIT
[email protected] ————————————————————— Apache-2.0 + MIT
[email protected] —————————————— ISC + MIT
[email protected] ——— ISC + MIT
[email protected] ——————————————————— Apache-2.0 + MIT
[email protected] —————————————— ISC + MIT
[email protected] —————————— Apache-2.0 + MPL-1.1
[email protected] —————————————— AFLv2.1 + BSD
[email protected] ————————————————— ISC + MIT
[email protected] —————————————— CC0-1.0 + MIT
[email protected] ——————————— CC0-1.0 + MIT
...
```

## Finding bad licenses

Let's say you run this tool and find the dependencies, of which you really don't want to follow CC-BY-3.0:

```bash
$ licenses
DOC —————————————————— 56
MIT —————————————————— 56
ISC —————————————————— 7
CC0-1.0 —————————————— 4
BSD-2-Clause ————————— 2
Apache-1.0 ——————————— 2
Apache-2.0 ——————————— 2
CC-BY-3.0 ———————————— 1
```

Then you can also use it to track down which dependencies have this license:

```bash
$ licenses --list | grep CC-BY-3.0
[email protected] ——————— CC-BY-3.0
```

With this information you can either:

- Dig deeper: some times it might be dual-licensed
- Find out where this comes from with `npm ls`:

```bash
$ npm ls spdx-exceptions
[email protected] /home/francisco/check-licenses
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]
```