check-licenses

Check the licenses for the packages that you are using

Usage no npm install needed!

<script type="module">
  import checkLicenses from 'https://cdn.skypack.dev/check-licenses';
</script>

README

Check Licenses npx check-licenses test badge

A simple tool to check all the licenses in your dependencies:

Example command
  • Find all dependencies and their sub-dependencies in your project
  • Validate both the package.json and the LICENSE file per dependency
  • Only reads dependencies and not devDependencies
  • Uses package-lock.json for deterministic resolution
  • Handles multiple versions of the same library just fine

Getting started

You can either use npx check-licenses, or install this library globally and then run it at once:

npm i check-licenses -g
licenses   # Note how this is just `licenses`
licenses --list
licenses --help

# Or use the library straight from npm
npx check-licenses
npx check-licenses --list
npx check-licenses --help

The main command will trigger a license summary:

$ licenses
DOC —————————————————⟶ 56
MIT —————————————————⟶ 56
ISC —————————————————⟶ 7
CC0-1.0 —————————————⟶ 4
BSD-2-Clause ————————⟶ 2
Apache-1.0 ——————————⟶ 2
Apache-2.0 ——————————⟶ 2
CC-BY-3.0 ———————————⟶ 1

The --list option will show all the dependencies you have with their licenses:

Show the licenses used

The base command is to count how many licenses of each type are in use:

$ licenses
MIT —————————————————⟶ 1328
ISC —————————————————⟶ 113
CC0-1.0 —————————————⟶ 36
BSD-3-Clause ————————⟶ 36
Apache-2.0 ——————————⟶ 5
BSD-2-Clause ————————⟶ 3
Zlib ————————————————⟶ 1
CC-BY-3.0 ———————————⟶ 1
GPL-2.0 —————————————⟶ 1

List all dependencies

This can be used to find out what each of our dependencies (direct and indirect) is using. It might list multiple licenses in a single package:

$ licenses --list
...
test-exclude@5.2.3 ————————————⟶ ISC
text-table@0.2.0 ——————————————⟶ MIT
textarea-caret@3.0.2 ——————————⟶ MIT
throat@4.1.0 ——————————————————⟶ MIT
through@2.3.8 —————————————————⟶ Apache-2.0 + MIT
through2@2.0.5 ————————————————⟶ MIT
thunky@1.1.0 ——————————————————⟶ MIT
timers-browserify@2.0.11 ——————⟶ MIT
...

This list is normally quite long, but it can be easily grep-ed. For example, to find all of the Apache-2.0 licenses:

$ licenses --list | grep Apache-2.0
fb-watchman@2.0.1 —————————————⟶ Apache-2.0
forever-agent@0.6.1 ———————————⟶ Apache-2.0
formik@2.1.5 ——————————————————⟶ Apache-2.0 + MIT
harmony-reflect@1.6.1 —————————⟶ Apache-2.0 + MPL-1.1
human-signals@1.1.1 ———————————⟶ Apache-2.0

If there are multiple licenses in a library it's marked with a +. You can indeed also grep that!

$ licenses --list | grep +
...
are-we-there-yet@1.1.5 ————————⟶ ISC + MIT
atob@2.1.2 ————————————————————⟶ Apache-2.0 + MIT
detect-node@2.0.4 —————————————⟶ ISC + MIT
electron-to-chromium@1.3.534 ——⟶ ISC + MIT
formik@2.1.5 ——————————————————⟶ Apache-2.0 + MIT
fs.realpath@1.0.0 —————————————⟶ ISC + MIT
harmony-reflect@1.6.1 —————————⟶ Apache-2.0 + MPL-1.1
json-schema@0.2.3 —————————————⟶ AFLv2.1 + BSD
killable@1.0.1 ————————————————⟶ ISC + MIT
lodash-es@4.17.15 —————————————⟶ CC0-1.0 + MIT
lodash.memoize@4.1.2 ——————————⟶ CC0-1.0 + MIT
...

Finding bad licenses

Let's say you run this tool and find the dependencies, of which you really don't want to follow CC-BY-3.0:

$ licenses
DOC —————————————————⟶ 56
MIT —————————————————⟶ 56
ISC —————————————————⟶ 7
CC0-1.0 —————————————⟶ 4
BSD-2-Clause ————————⟶ 2
Apache-1.0 ——————————⟶ 2
Apache-2.0 ——————————⟶ 2
CC-BY-3.0 ———————————⟶ 1

Then you can also use it to track down which dependencies have this license:

$ licenses --list | grep CC-BY-3.0
spdx-exceptions@2.3.0 ——————⟶ CC-BY-3.0

With this information you can either:

  • Dig deeper: some times it might be dual-licensed
  • Find out where this comes from with npm ls:
$ npm ls spdx-exceptions
check-licenses@0.2.0 /home/francisco/check-licenses
└─┬ meow@8.0.0
  └─┬ normalize-package-data@3.0.0
    └─┬ validate-npm-package-license@3.0.4
      └─┬ spdx-expression-parse@3.0.1
        └── spdx-exceptions@2.3.0