Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/onebeyond/license-checker

:detective: Audit your NPM dependencies and reject any forbidden license.
https://github.com/onebeyond/license-checker

dependencies hacktoberfest license

Last synced: about 2 months ago
JSON representation

:detective: Audit your NPM dependencies and reject any forbidden license.

Awesome Lists containing this project

README 

        


  logo










  npm version

  npm downloads

  run-tests workflow

  release-and-publish workflow

  

  

  socket.dev

  all-contributors






🕵️ Audit your NPM dependencies and reject any forbidden license.



Check our [wiki](https://github.com/onebeyond/license-checker/wiki)!



## 📝 Description



This package allows you to do a quick audit on your NPM dependencies by adding it in your hooks.



You can optionally add options to exclude generating the report or avoid generating the error report in case a forbidden license is found (see more details [here](#options)).



The package provides two commands:



| Command | Description |

|---|----|

| scan | (default command) scan licenses of a project looking for forbidden licenses |

| check | check if a license is SPDX compliant |



## 🔎 How to use it in your project



- Install the package



```sh

npm install @onebeyond/license-checker

```



### `check` command



Just run the check command with the license expression you want to check against SPDX:



```sh

npx @onebeyond/license-checker check 

```



The process will fail if _license_ is not SPDX compliant. 



### `scan` command



- Add a script to run the package



```sh

npx @onebeyond/license-checker scan --failOn 

```



- If you are using **yarn** you may want to run it from the node modules instead of using npx



```sh

node_modules/.bin/license-checker scan --failOn 

```



- Use the script wherever you want (husky hook, in your CI/CD pipeline, ...)



#### 🚩 Options



| Option | Description | Requiered | Type | Default |

|---|---|---|---|---|

| --start | Path of the initial json to look for | false | string | `process.cwd()` |

| --failOn | Fail (exit with code 1) if any package license does not satisfies any license in the provided list | true | string[] |  |

| --outputFileName | Name of the report file generated | false | string | `license-report-.md` |

| --errorReportFileName | Name of the error report file generated when a license in the `failOn` option is found | false | string | `license-error-.md` |

| --disableErrorReport | Flag to disable the error report file generation | false | boolean  | `false` |

| --disableReport | Flag to disable the report file generation, whether there is an error or not | false | boolean | `false` |

| --customHeader | Name of a text file containing the custom header to add at the start of the generated report | false | string | This application makes use of the following open source packages: |



## 🧑‍💻 Examples



### check command



This command is intended to be used as a standalone functionality to check whether the value supplied is in compliance with SDPX. It is useful for checking the value before using it with the `scan` command:



```sh

npx @onebeyond/license-checker check "(MIT OR GPL-1.0+) AND 0BSD"

```



If the value provided is not SPDX compliant, the process fails (exit error 1).



### scan command



All the values provided in the `failOn` list must be [SPDX](https://spdx.dev/specifications/) compliant. Otherwise, an error will be thrown (exit error 1). 

Check the [SPDX license list](https://spdx.org/licenses/).



```sh

npx @onebeyond/license-checker scan --failOn MIT GPL-1.0+

```



The input list is transformed into a SPDX expression with the `OR` logical operator. In the example, that is `MIT OR GPL-1.0+`.

If any of the packages' licenses satisfies that expression, the process fails (exit error 1).



## 🔗 Useful links



- [Licensing a repository](https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/licensing-a-repository)

- [Choose a license](https://choosealicense.com/appendix/)



## ⚠️ Temporal issue



An issue in `spdx-satisfies` has been found and it's pending resolution. Until then, GFDL 1x licenses are not supported and an error will be thrown if either packages or failOn arguments contain it. 



## Contributors ✨



Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):



  

    

      Jose Manuel Torralvo Moyano
Jose Manuel Torralvo Moyano
💻 📖 🤔 🚧 👀

      Mario Quiroga
Mario Quiroga
💻 📖 🤔 🚧 👀

      Íñigo Marquínez
Íñigo Marquínez
💻 📖 🤔 🚧 👀

      Sara Hernández
Sara Hernández
💻

      Laura
Laura
👀

      Adri Rodríguez 
Adri Rodríguez 
👀

      David Miguel Yusta
David Miguel Yusta
💻 📖 🤔 🚧 👀 ⚠️

    

    

      Lucía
Lucía
🎨

      Ulises Gascón
Ulises Gascón
💻 📖 🚧

      Fernando de la Torre
Fernando de la Torre
💻

    

  



This project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification. Contributions of any kind welcome!