A simple tool to check all the licenses in your dependencies:
- Find all dependencies and their sub-dependencies in your project
- Validate both the
package.json
and theLICENSE
file per dependency - Only reads
dependencies
and notdevDependencies
- Uses
package-lock.json
for deterministic resolution - Handles multiple versions of the same library just fine
You can either use npx check-licenses
, or install this library globally and then run it at once:
npm i check-licenses -g
licenses # Note how this is just `licenses`
licenses --list
licenses --help
# Or use the library straight from npm
npx check-licenses
npx check-licenses --list
npx check-licenses --help
npx --yes check-licenses # To avoid being asked to install it, e.g. in a CI
The main command will trigger a license summary:
$ licenses
MIT —————————————————— 56
ISC —————————————————— 7
CC0-1.0 —————————————— 4
BSD-2-Clause ————————— 2
Apache-1.0 ——————————— 2
Apache-2.0 ——————————— 2
CC-BY-3.0 ———————————— 1
If you want to dig deeper and see which package uses what license, use the --list
flag.
The base command is to count how many licenses of each type are in use:
$ licenses
MIT —————————————————— 1328
ISC —————————————————— 113
CC0-1.0 —————————————— 36
BSD-3-Clause ————————— 36
Apache-2.0 ——————————— 5
BSD-2-Clause ————————— 3
Zlib ————————————————— 1
CC-BY-3.0 ———————————— 1
GPL-2.0 —————————————— 1
This can be used to find out what each of our dependencies (direct and indirect) is using. It might list multiple licenses in a single package:
$ licenses --list
...
[email protected] ————————————— ISC
[email protected] ——————————————— MIT
[email protected] ——————————— MIT
[email protected] ——————————————————— MIT
[email protected] —————————————————— Apache-2.0 + MIT
[email protected] ————————————————— MIT
[email protected] ——————————————————— MIT
[email protected] ——————— MIT
...
This list is normally quite long, but it can be easily grep
-ed. For example, to find all of the Apache-2.0
licenses:
$ licenses --list | grep Apache-2.0
[email protected] —————————————— Apache-2.0
[email protected] ———————————— Apache-2.0
[email protected] ——————————————————— Apache-2.0 + MIT
[email protected] —————————— Apache-2.0 + MPL-1.1
[email protected] ———————————— Apache-2.0
If there are multiple licenses in a library it's marked with a +
. You can indeed also grep that!
$ licenses --list | grep +
...
[email protected] ————————— ISC + MIT
[email protected] ————————————————————— Apache-2.0 + MIT
[email protected] —————————————— ISC + MIT
[email protected] ——— ISC + MIT
[email protected] ——————————————————— Apache-2.0 + MIT
[email protected] —————————————— ISC + MIT
[email protected] —————————— Apache-2.0 + MPL-1.1
[email protected] —————————————— AFLv2.1 + BSD
[email protected] ————————————————— ISC + MIT
[email protected] —————————————— CC0-1.0 + MIT
[email protected] ——————————— CC0-1.0 + MIT
...
Let's say you run this tool and find the dependencies, of which you really don't want to follow CC-BY-3.0:
$ licenses
DOC —————————————————— 56
MIT —————————————————— 56
ISC —————————————————— 7
CC0-1.0 —————————————— 4
BSD-2-Clause ————————— 2
Apache-1.0 ——————————— 2
Apache-2.0 ——————————— 2
CC-BY-3.0 ———————————— 1
Then you can also use it to track down which dependencies have this license:
$ licenses --list | grep CC-BY-3.0
[email protected] ——————— CC-BY-3.0
With this information you can either:
- Dig deeper: some times it might be dual-licensed
- Find out where this comes from with
npm ls
:
$ npm ls spdx-exceptions
[email protected] /home/francisco/check-licenses
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]