DEV Community

loading...

Checking the licenses used by your NPM dependencies

connorbode profile image Connor Bode ・2 min read

Hey everyone, just a quick tip on how you can audit your NPM dependencies to make sure you're not infringing copyright.

Why do I care about licensing?

Open-source software is great, but it doesn't necessarily mean it's free to use. Software projects are released under difference licenses. Typically in a project repo, this will be in the LICENSE file in the top level of the repo.

The way you license your software defines many things including:

  • Whether you grant use of the software
  • Whether you grant commercial use of the software

These two points are extremely important.

You might think the software you are using is free until you get slapped with an invoice or a lawsuit!

As an example that's not related to NPM but is related to software licensing, check out VirtualBox's licences. tldr; VirtualBox is licensed under GPL2, while VirtualBox Extensions are under a custom license which requires a fee for commercial use. Supplementary reading: Oracle demands $12,200 for use of VirtualBox Extension Pack.

How can we verify the licenses of the packages we're using?

This ends up being pretty easy due to license-checker.

Here's the procedure:

  1. npm install license-checker
  2. npx license-checker

This will give you a printout of all the licensing details of packages used in your project.

Other cool features of the project:

  • Print a summary of licenses used by npx license-checker --summary
  • Include it in your CI/CD pipeline by providing it with a whitelist or a blacklist of licenses

Hope this helps you to audit the packages you're using!


I write about development stuff in all sorts of areas (Node, Python, Linux, Android, iOS, etc.). If you're interested, follow me here on dev.to or on Twitter @connorbode. I'll keep writing as I learn & discover.

Discussion

pic
Editor guide
Collapse
priya0607jain profile image
Priya Jain

@connor . After hours of senseless search for implementing license-checker, your article saved my life. Thanks a lot for such a precise and informative article. If possible, can you also tell about how to whitelist or blacklist particular licenses in react CI/CD bild pipeline?

Collapse
ben profile image
Ben Halpern

I've used license-checker and found it useful.

I think we might have also used licensed in Ruby world.

GitHub logo github / licensed

A Ruby gem to cache and verify the licenses of dependencies

Licensed

Licensed caches the licenses of dependencies and checks their status.

Licensed is available as a Ruby gem for Ruby environments, and as a self-contained executable for non-Ruby environments.

Licensed is not a complete open source license compliance solution. Please understand the important disclaimer below to make appropriate use of Licensed.

Current Status

Build status

Licensed is in active development and currently used at GitHub. See the open issues for a list of potential work.

Licensed v2

Licensed v2 includes many internal changes intended to make licensed more extensible and easier to update in the future. While not too much has changed externally, v2 is incompatible with configuration files and cached records from previous versions. Fortunately, migrating is easy using the licensed migrate command.

See CHANGELOG.md for more details on what's changed See the migration documentation for more info on migrating to v2, or run licensed help migrate.

Installation

Dependencies

Licensed…

Collapse
connorbode profile image
Connor Bode Author

Nice! Similarly for pip / python: pypi.org/project/pip-licenses/ (though I haven't used it)