Hey everyone, just a quick tip on how you can audit your NPM dependencies to make sure you're not infringing copyright.
Why do I care about licensing?
Open-source software is great, but it doesn't necessarily mean it's free to use. Software projects are released under difference licenses. Typically in a project repo, this will be in the LICENSE file in the top level of the repo.
The way you license your software defines many things including:
- Whether you grant use of the software
- Whether you grant commercial use of the software
These two points are extremely important.
You might think the software you are using is free until you get slapped with an invoice or a lawsuit!
As an example that's not related to NPM but is related to software licensing, check out VirtualBox's licences. tldr; VirtualBox is licensed under GPL2, while VirtualBox Extensions are under a custom license which requires a fee for commercial use. Supplementary reading: Oracle demands $12,200 for use of VirtualBox Extension Pack.
How can we verify the licenses of the packages we're using?
This ends up being pretty easy due to license-checker.
Here's the procedure:
npm install license-checkernpx license-checker
This will give you a printout of all the licensing details of packages used in your project.
Other cool features of the project:
- Print a summary of licenses used by
npx license-checker --summary - Include it in your CI/CD pipeline by providing it with a whitelist or a blacklist of licenses
Hope this helps you to audit the packages you're using!
I write about development stuff in all sorts of areas (Node, Python, Linux, Android, iOS, etc.). If you're interested, follow me here on dev.to or on Twitter @connorbode. I'll keep writing as I learn & discover.
Top comments (3)
@connor . After hours of senseless search for implementing license-checker, your article saved my life. Thanks a lot for such a precise and informative article. If possible, can you also tell about how to whitelist or blacklist particular licenses in react CI/CD bild pipeline?
I've used
license-checkerand found it useful.I think we might have also used
licensedin Ruby world.A Ruby gem to cache and verify the licenses of dependencies
Licensed
Licensed caches the licenses of dependencies and checks their status.
Licensed is available as a Ruby gem for Ruby environments, and as a self-contained executable for non-Ruby environments.
Licensed is not a complete open source license compliance solution. Please understand the important disclaimer below to make appropriate use of Licensed.
Current Status
Licensed is in active development and currently used at GitHub. See the open issues for a list of potential work.
Licensed v2
Licensed v2 includes many internal changes intended to make licensed more extensible and easier to update in the future. While not too much has changed externally, v2 is incompatible with configuration files and cached records from previous versions. Fortunately, migrating is easy using the
licensed migratecommand.See CHANGELOG.md for more details on what's changed See the migration documentation for more info on migrating to v2, or run
licensed help migrate.Installation
Dependencies
Licensedβ¦
Nice! Similarly for
pip / python: pypi.org/project/pip-licenses/ (though I haven't used it)