npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@brainhubeu/lac

v2.0.0-beta

Published

## Prerequisites

Downloads

367

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

angjezangjezannalachannalachbenedyktdrylbenedyktdrylbrainhubeu-cibrainhubeu-cibrainhubeu-devopsbrainhubeu-devopsdluberdluberdyodadyodafkublinfkublinmatt-jbmatt-jbroberthebelroberthebelszymon.morawskiszymon.morawski

Keywords

licenseauditcli

Readme

License Auditor CLI

Prerequisites

Supported package managers

  • npm
  • yarn classic (v1)
  • yarn 2+
    • Applicable only for projects using node_modules installation. Plug'n'Play is not currently supported.
  • pnpm

Getting started

To start using License Auditor, in the root of your project run

npx @brainhubeu/lac init

Follow the configuration wizard and select the template which suits your project.

CAUTION: The default configuration should not be in any way interpreted as legal advice.

Next, to conduct license audit run

npx @brainhubeu/lac

The results will be printed in the console.

Available options

  • --verbose - Verbose output (default: false)
  • --filter [filter] - Filter verbose output by license status - whitelist, blacklist, or unknown
  • --json [json] - Save the result to a JSON file. If no path is not provided, a file named license-auditor.results.json will be created in the current directory.
  • --production - Skip the audit for licenses in development dependencies (default: false)
  • --default-config - Run audit with default whitelist/blacklist configuration

Verify dev dependencies if they generate code, embed assets, or otherwise impact the final product, as their licenses might impose restrictions. Always prioritize reviewing both when in doubt or if your project may be redistributed or commercialized.

Configuration file

File structure

All licenses are sourced from SPDX license list

  • whitelist - array of SPDX license identifiers of licenses permitted within the project,
  • blacklist - array of SPDX license identifiers of licenses prohibited within the project,
  • overrides - an object with the specified severity:
    • warn - package should be omitted from audit, but it will produce a warning,
    • off- package should be completely omitted from the audit.

To use ConfigType and enable IntelliSense license suggestions in the configuration file, run:

npm i --save-dev @brainhubeu/lac

Then, in JS/MJS configuration at the top of the file add:

/**
 * @type {import('@brainhubeu/lac').ConfigType}
 */

In TS configuration:

import type { ConfigType } from "@brainhubeu/lac";

const config: ConfigType = {
  ...
};

CAUTION: The default/strict configuration should not be in any way interpreted as legal advice.

Default configuration

LAC offers a default configuration for whitelist and blacklist, available by running the configuration wizard or using the --default-config flag. The rationale for selecting licenses for each list is available in this Brainhub article about open source licenses. It describes licenses to be wary of as:

You need to be careful about a few restrictive licenses, like GPL 3.0 or AGPL. In the worst-case scenario, you may be required to release your software under the same license, royalty-free.

However, we shouldn't say these licenses are bad. They cause a legal risk or can make you rewrite the whole product, but only if you don't follow the rules associated with them.

The key in managing licenses is to understand how they work, follow their rules, and ideally use software that helps to track the licenses in your product, so as not to break the law or cause problems to your product through inattention.

Strict configuration

Strict configuration offers a more restrictive whitelist/blacklist preset. The aim was to cover as many licenses as viable, keeping to the guidelines described in the article above.

Known issues

"missing: some-package@>=3.0.0, required by [email protected]"

This is most likely caused by enabled legacy-peer-deps in npm, which makes npm skip installing peer dependencies. License auditor will show partial results (for packages found by npm until the error occurred). To see complete results you must turn the legacy-peer-deps off and fix any peer dependency conflicts.