dump-licenses
v0.3.0
Published
This library helps in listing all dependency licenses
Downloads
2
Readme
Dump licenses
This library is analyzing the npm project hierarchy recursively from the current directory: package.json file
This library only focuses on production dependencies, and provides result as JSON file sorted by license type to simplify the check on legal aspect.
WARN: Legal aspect is not the responsibility of this tool which is just an helper to list all licenses referenced by a module. The production of real license files is OUT OF SCOPE of this module.
To build all licenses text, you can retrieve them from the web (like the excellent https://spdx.org/licenses/), make them template by using some placeholders (for author/date/module name), and automatise the license files generation based on dump-licenses output.
Usage
> npm install -g dump-licenses
> cd <your project directory>
# Ensure to let NPM / YARN resolved your dependencies by calling
> npm install or yarn install
> dump-licenses
{
"MIT": [
{ name: "module-name1", version: "1.0.0", author: "John Doe <[email protected]>" },
...
],
"Apache-2.0": [
{ name: "module-name2", version: "0.7.0", author: "John Doe <[email protected]>" },
...
],
"?": [
{ name: "module-with-license-not-found", version: "1.0.0", author: "John Doe <[email protected]>" },
...
],
"File": [
{ name: "module-with-license-file", version: "5.2.0", author: "John Doe <[email protected]>", license: '/<local-directory>/LICENSE' }
]
...
}
# If you copy the "?" part in a dedicated file (for example: manual.json)
# and replace the "?" with correct license. You can then add the --manual (or -m) command line option to tell dump-licenses to use those licensing information prior to compute them. For example:
# manual.json content:
# {
# "MIT": [
# { name: "module-with-license-not-found", version: "1.0.0", author: "John Doe <[email protected]>" },
# ]
# }
> dump-licenses --manual=manual.json
{
"MIT": [
{ name: "module-name1", version: "1.0.0", author: "John Doe <[email protected]>" },
{ name: "module-with-license-not-found", version: "1.0.0", author: "John Doe <[email protected]>" },
...
],
"Apache-2.0": [
{ name: "module-name2", version: "0.7.0", author: "John Doe <[email protected]>" },
...
],
"?": [
...
],
"File": [
{ name: "module-with-license-file", version: "5.2.0", author: "John Doe <[email protected]>", license: '/<local-directory>/LICENSE' }
]
...
}
# You can also store the output in json format by using --output (-o)
> dump-licenses --output=licenses.json
INFO: Output file [ license.json ] generated!
INFO: Licenses: MIT, ISC, GPL-2.0, BSD-3-Clause, OFL-1.1, Apache-2.0
# Finally, if you want to merge the licenses of multiple projects you can chain them by using --input (-i) option
> dump-licenses --input=other-project-licenses.json --output=merged-licenses.jsonThe license is retrieved from "license" (or "licenses") property in package.json. If the property is not found, a .*LICENSE.* file is searched in the project directory and the corresponding module is associated with license type 'File'.
If the licensing information are not found, the corresponding module are associated with license type: "?". Please, check the corresponding library license information manually. You can save those information in a specific manual license file and give it to dump-licenses to
NOTE: By default a license property containing "* OR " is computed like a " AND *" and the corresponding module will be listed in all license types. You can use the "manual" option to choose between the different choices and prevent it to appear everywhere.
dump-licenses is also trying to retrieve all module authors in order to let software establishes a clear licensing information.