Introducing License Overlays: Smarter License Management for Real-World Code

Socket is proud to announce a new feature called "license overlays", which allows customers to modify or replace the results of Socket's standard license analysis.

While we stand behind the accuracy of our license detection, the task of license identification presents unique challenges which make it fundamentally unlike code analysis: there are no hard and fast restrictions on how a package author can convey license information to would-be licensees, or what kind of licensing information they can convey. This is in stark contrast to analysis of computer code, which must parse or in some way conform to a prescribed structure in order to work at all, therefore lending itself to more exacting forms of inspection.

Even when one leans on the latest generation of large language models, this kind of extremely niche task is likely to be novel relative to the LLM's training which, combined with the inherently probabilistic nature of LLMs means that in a subset of cases, some amount of license data is likely to require human review for the foreseeable future.

We've curated some examples below to help illustrate use cases for this feature. Although norms and best practices have emerged in recent years (and thankfully are seeing increasingly broad adoption), there are huge bodies of widely used software which do not to conform to any cognizable standard.

Example 1:

One fairly common pattern which causes issues is collating large amounts of license data and attribution information in a single file covering information for many modules and bundled dependencies, as with this LICENSE file in the popular torch package. This file contains almost 10,000 lines of license information, incorporating custom formats, inline license texts, and assorted copyright headers.

Example 2:

The package gsap has elected to use the "license" key of their package.json file to include a nonstandard (and nonconforming) string redirecting readers to a URL.

Example 3:

There are also instances in which a user might want to modify the way a package's license information presents in their dependency tree even when the base license information is completely accurate. For example, one of the license files included in Next.js presents both ISC (a permissive license) and CC-BY-SA-4.0 (a copyleft license).

Some non-standard explanatory text in the file further shows that CC-BY-SA-4.0 applies to the logo of an apparently vendored dependency Glob. Some users may determine that for their use case, the license information pertaining to Glob's logo is irrelevant, therefore it's preferable for this file to present only as ISC in their dependency tree, particularly if their license policy forbids copyleft licenses.

Creating a License Overlay#

License overlays can be created by clicking the appropriate prompt in any license policy violation alert.

Clicking ‘Create overlay’ will open a new dialogue which allows users to see the relevant portion of the applicable package, and to make whatever modifications to the license identifier and authors are deemed appropriate.

Socket's license analysis also tracks author information, which is important for attribution as required by the terms of many popular open source licenses. The license overlay feature allows customers to add, remove, or modify license information, which will become part of any attribution file customers generate with Socket.

Version globs

The license overlay feature allows users to apply overlays across multiple versions with glob patterns, in order to prevent customers from having to repeatedly update overlays to keep them in sync with dependencies as those dependencies release new versions.

License overlays do not default to an "apply to all future versions" behavior, because packages can (and do) sometimes change the terms under which they are offered.

One detail which may be of interest: if a dependency has an overlay applied, and the file to which that overlay is applied changes, the version glob is ignored and users will be presented with the default license information. This behavior was chosen to prevent the following potentially problematic scenario:

• package A is released as MIT AND GPL-2.0 at version 1.0.0.
• Customer decides the GPL-2.0 part doesn't apply to their use of the package and creates an overlay, replacing MIT AND GPL-2.0 with MIT, and the version glob pattern 1.*.
• At version 1.2.0, the package authors relicense the package, changing the LICENSE file to a very unequivocal AGPL-3.0.

In this case, the desirable behavior is to effectively invalidate the customer's license overlay despite the version glob technically applying and show the user the base license detection result of AGPL-3.0.

Overlay Notes

License overlays include a feature for leaving notes and other information as a reminder of why certain modifications were made.

Viewing and deleting existing overlays

Existing license overlays can be viewed and deleted by navigating to the organization dashboard > Settings > Legal > License Overlays.

Flexible by Design#

License analysis isn’t black and white, and unlike most tools in the ecosystem, Socket embraces that reality. While others enforce rigid heuristics or force-fit nonstandard cases into predefined boxes, our new license overlays give you control when nuance matters.

Whether you're cleaning up edge cases, preserving author attribution, or avoiding policy false positives, overlays are designed to meet your team where you are. We’re excited to get your feedback, hear about your real-world use cases, and continue refining this feature to make Socket the most flexible and developer-friendly license tool available.