NPM License Checker
Ever needed to see all the license info for a module and its dependencies?
It's this easy:
npm install -g license-checker
mkdir foo
cd foo
npm install yui-lint
license-checker
You should see something like this:
├─ cli@0.4.3
│ ├─ repository: http://github.com/chriso/cli
│ └─ licenses: MIT
├─ glob@3.1.14
│ ├─ repository: https://github.com/isaacs/node-glob
│ └─ licenses: UNKNOWN
├─ graceful-fs@1.1.14
│ ├─ repository: https://github.com/isaacs/node-graceful-fs
│ └─ licenses: UNKNOWN
├─ inherits@1.0.0
│ ├─ repository: https://github.com/isaacs/inherits
│ └─ licenses: UNKNOWN
├─ jshint@0.9.1
│ └─ licenses: MIT
├─ lru-cache@1.0.6
│ ├─ repository: https://github.com/isaacs/node-lru-cache
│ └─ licenses: MIT
├─ lru-cache@2.0.4
│ ├─ repository: https://github.com/isaacs/node-lru-cache
│ └─ licenses: MIT
├─ minimatch@0.0.5
│ ├─ repository: https://github.com/isaacs/minimatch
│ └─ licenses: MIT
├─ minimatch@0.2.9
│ ├─ repository: https://github.com/isaacs/minimatch
│ └─ licenses: MIT
├─ sigmund@1.0.0
│ ├─ repository: https://github.com/isaacs/sigmund
│ └─ licenses: UNKNOWN
└─ yui-lint@0.1.1
├─ licenses: BSD
└─ repository: http://github.com/yui/yui-lint
An asterisk next to a license name means that it was deduced from an other file than package.json (README, LICENSE, COPYING, ...) You could see something like this:
└─ debug@2.0.0
├─ repository: https://github.com/visionmedia/debug
└─ licenses: MIT*
Options
--production
only show production dependencies.--development
only show development dependencies.--unknown
report guessed licenses as unknown licenses.--onlyunknown
only list packages with unknown or guessed licenses.--json
output in json format.--csv
output in csv format.--csvComponentPrefix
prefix column for compoment in csv format.--out [filepath]
write the data to a specific file.--customPath
to add a custom Format file in JSON--exclude [list]
exclude modules which licenses are in the comma-separated list from the output--relativeLicensePath
output the location of the license files as relative paths--summary
output a summary of the license usage',--failOn [list]
fail (exit with code 1) on the first occurrence of the licenses of the comma-separated list
Exclusions
A list of licenses is the simplest way to describe what you want to exclude.
You can use valid SPDX identifiers.
You can use valid SPDX expressions like MIT OR X11
.
You can use non-valid SPDX identifiers, like Public Domain
, since npm
does
support some license strings that are not SPDX identifiers.
Examples
license-checker --json > /path/to/licenses.json
license-checker --csv --out /path/to/licenses.csv
license-checker --unknown
license-checker --customPath customFormatExample.json
license-checker --exclude 'MIT, MIT OR X11, BSD, ISC'
license-checker --onlyunknown
Custom format
The --customPath
option can be used with CSV to specify the columns. Note that
the first column, module_name
, will always be used.
When used with JSON format, it will add the specified items to the usual ones.
The available items are the following:
- name
- version
- description
- repository
- publisher
- url
- licenses
- licenseFile
- licenseText
- licenseModified
You can also give default values for each item. See an example in customFormatExample.json.
Requiring
var checker = require('license-checker');
checker.init({
start: '/path/to/start/looking'
}, function(err, json) {
if (err) {
//Handle error
} else {
//The sorted json data
}
});
Debugging
license-checker uses debug for internal logging. There’s two internal markers:
license-checker:error
for errorslicense-checker:log
for non-errors
Set the DEBUG
environment variable to one of these to see debug output:
$ export DEBUG=license-checker*; license-checker
scanning ./yui-lint
├─ cli@0.4.3
│ ├─ repository: http://github.com/chriso/cli
│ └─ licenses: MIT
# ...
How Licenses are Found
We walk through the node_modules
directory with the read-installed
module. Once we gathered a list of modules we walk through them and look at all of their package.json
's, We try to identify the license with the spdx
module to see if it has a valid SPDX license attached. If that fails, we then look into the module for the following files: LICENSE
, LICENCE
, COPYING
, & README
.
If one of the those files are found (in that order) we will attempt to parse the license data from it with a list of known license texts. This will be shown with the *
next to the name of the license to show that we "guessed" at it.