npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@akiflow/licenses-verifier

v2.0.0

Published

Verify that the dependencies of package.json are licensed in a way that allows their use in the current project

Downloads

88

Readme

Licenses Verifier

Verify that the dependencies of package.json are licensed in a way that allows their use in a given project.

Why?

Save on legal expenses by ensuring that you can lawfully use all the dependencies in your project.

This will help you to ensure that you are not infringing any copyrights or other intellectual property rights.

Thanks to Licenses Verifier, you will save time and money when, for example, going through a legal due diligence. It will be easier to show that you have the right licenses for all the dependencies in your project by providing to your attorneys the information they need.

How it works?

Licenses Verifier checks that the dependencies in package.json are licensed in a way that allows their use in the current project.

This is done by first listing all the dependencies in package.json and then retrieving the licenses of such dependencies. This includes both the development and production licenses, and all the their dependencies (recursively).

These licenses are then checked against the whitelist of licenses that are allowed in the current project. To whitelist a license, add it to the whitelistedLicenses array in package.json.

Example:

"whitelistedLicenses": [
    "MIT",
    "Apache-2.0"
]

If a dependency is not whitelisted, it will be reported as a problem.

If no whitelist is provided, a warning will be shown.

If any dependency has no license, it will be reported as a problem.

Which licenses can I whitelist?

Short answer: ask your lawyers.

Longer answer: you need to verify that the license allows you to use the dependency in your specific project. Many very common licenses, although referred as “open source”, do have specific requirements for use in other projects. Verifying how to comply with those requirements is a matter that should be addressed by a qualified attorney. For this reason, Licenses Verifier does not include any pre-populated license whitelist. Each project may or may not whitelist a license, depending on the project’s characteristics.

For this reason we recommend that you consult with your lawyer before whitelisting a license. You should do so for each project you work on. We strongly suggest not to reuse the same license whitelist in multiple projects without prior consultation with your lawyer.

How to use it?

Installation

npm install -g @akiflow/licenses-verifier

or

yarn global add @akiflow/licenses-verifier

Usage

npm run licenses-verifier

or

yarn licenses-verifier

Options

All parameters are optional.

--projectPath=<path>
    If not specified, the current directory will be used.

--tsOrJsFile=<pathAndFilename>
    the path and name of the file in which all packages and licenses will be made available to be imported in your code. Useful to include links and other information about the dependencies used in your project.

--outLicensesDir=<directory>
    the directory in which the licenses will be saved. A separate file will be created for each license. Useful if you need to provide the licenses to a third party, for example, an attorney to help you review the licenses.

--outputJsonFile=<pathAndFilename>
    the path and name of the file in which a list of all the packages used in the project, grouped by license, will be saved. Useful to identify which packages are using which licenses.

Disclaimer

This tool is not intended, and should not be used, as a way to avoid proper legal due diligence. You remain the sole responsible for the use of the packages listed in your dependencies. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.