Socket
Socket
Sign inDemoInstall

License exception

Severity

Low

Short Description

(Experimental) Contains an SPDX license exception.

Packages

View packages with this alert.

Suggestion

License exceptions should be carefully reviewed.

Information

The License Exception alert flags packages that designate a modification to the standard terms of an open-source license. Exceptions provide additional permissions (or sometimes restrictions) that override specific aspects of the base license. These exceptions can affect how the software can be used or how derivative works can be licensed.

Recommended actions

1. Review the License and Exception Terms

  • Carefully read the primary license and the associated exception. License exceptions often modify or limit the conditions of the base license in subtle ways.
  • Understand how the exception may impact your project’s use of the dependency, especially if you plan to distribute your software or link to proprietary code.

2. Assess Compatibility

  • Determine whether the exception affects your project’s licensing or distribution model. For example, an exception may allow linking with proprietary code, but it could also impose specific requirements that affect how you can distribute your software.
  • Ensure the exception doesn’t conflict with your project’s existing licenses or any third-party software you rely on.

3. Consult Legal or Licensing Experts

  • If the exception is unfamiliar or the licensing terms are complex, consult your legal team or a licensing expert. They can help you assess the potential risks and determine the best course of action for your project.

4. Consider Alternatives

  • If the license exception poses risks or creates legal uncertainty, explore alternative packages with more permissive or compatible licenses.
  • Switching to a package with a more standard license can help avoid potential compliance issues down the road.

Examples

Here's an example of a package with a license exception bearing the LLVM-exception ID. It is licensed under the Apache License v2.0 with LLVM Exceptions.

Detection Method

Packages are flagged with a License Exception alert when a license paired with some kind of exception was detected. Because license exceptions are rare and may change the terms of the base license in unpredictable ways, the appearance of an exception is its own alert.

In order to determine a package's licensing, Socket checks a few different sources. The main ones are (1) looking in something that's explicitly a LICENSE file, (2) looking for ecosystem-specific values in manifest files (package.jsonpyproject.toml, gemfiles, etc.), (3) checking the license metadata that is available through the package registry, and (4) looking for copyright headers in source code files.

Additional resources

SPDX - List of Known License Exceptions

Understanding License Exceptions: What Developers Need to Know

GNU License Exceptions – A detailed explanation of how license exceptions work in GNU licenses

On Selling Exceptions to the GNU GPL - FSF article by Richard Stallman

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc