You're Invited:Meet the Socket Team at BlackHat and DEF CON in Las Vegas, Aug 7-8.RSVP
Socket
Socket
Sign inDemoInstall

Security News

ua-parser-js Drops MIT License, Adopts Controversial AGPLv3 + PRO Dual Licensing Model in Upcoming v2.0

ua-parser-js is set to drop the MIT license and adopt a controversial dual AGPLv3 + PRO licensing model in its upcoming v2.0 release, raising significant concerns among developers and enterprise users.

ua-parser-js Drops MIT License, Adopts Controversial AGPLv3 + PRO Dual Licensing Model in Upcoming v2.0

Sarah Gooding

June 18, 2024


Another controversial license change is brewing in the open source community, as the popular ua-parser-js library moves closer to dropping its MIT license in favor of a dual AGPLv3 + PRO license in its upcoming v2.0 release. This shift has sparked debates among developers regarding the implications for both open source and commercial use.

Ua-parser-js v2.0.0-beta.3 was released last week. The popular JavaScript library is used to detect Browser, Engine, OS, CPU, and Device type/model from User-Agent data and can be used either in browser (client-side) or with node.js (server-side). It has 2,237 dependents, according to npm registry, and is dowloaded more than 12.5M times per month. The project made headlines in 2021 when the npm package was hijacked to deliver crypto miner malware, affecting millions of users.

This licensing change will impact a wide range of projects and developers who rely on ua-parser-js, potentially requiring them to reevaluate their compliance with the new dual AGPLv3 + PRO licensing terms. PRO license fees range from $12 (personal) to $500 (enterprise).

“Looking back, after more than a decade, what initially started as a for-fun and for-learning side-project, has been slowly growing to become a popular module in npm, with almost ~12M downloads per week, and are being used by top tech companies, with a little to no incentives,” UAParser.js maintainer Faisal Salman said when first announcing the change last October.

“Looking forward, we still want to continue develop this small project to be even more awesome. For it to be successful we are aiming for a sustainable model that works for an open-source project. In the past two years, we have tried the voluntary donation route with a little success. This time, we decide to try a new model where we can get paid for maintaining the project while still keep it Free & Open-Source.”

Salman said he’s aiming for an open core model to “maintain a mutual balance" between the project and its users. He advised that users should choose the paid version if they need the new features in v2.0 but don’t want to comply with the AGPL license. Salman also committed to bringing occasional updates to v1.x versions and releasing fixes for vulnerabilities.

New Dual Licensing May Deter Open Source and Commercial Use#

This license update in the upcoming v2.0 release has raised significant concerns for commercial and open source projects relying on this widely-used library. The AGPL requires that any derivatives be released under the same license and that the source code be made available to anyone who interacts with the software over a network.

Platformatic CEO and Node.js TSC member Matteo Collina characterized the controversial change as a "rug pull" in his Adventures in Nodeland newsletter, and he decided to fork the library instead of relying on older versions.

“It's important to note that old versions will not be altered,” Collina said. “However, they will not receive many releases and new features.

“Unfortunately, any permissive Open Source project relying on this library can't continue using it long term. We used ua-parser-js in Platformatic for a simple check, and we couldn't justify having our users pay a license for this. Therefore, I have decided to fork the library and create my-ua-parser.”

Collina said he doesn’t plan to do much work on the fork but needs it to be open source “to avoid an accidental upgrade that our license checker might not catch in an auto-update.”

Salman received similarly strong reactions to the announcement from others who find the license change problematic and incompatible with their codebases.

“I definitely represent the kind of company that would seriously consider purchasing an Enterprise license,” Lance Dawkins commented on GitHub. “In fact, I actually came very close to buying one today.

"This licensing issue, however, is the thing that stopped me from doing so. Companies that can afford an Enterprise license are going to think a bit differently about scripts that have any connection whatsoever with a strong copyleft license like AGPL3. We have a lot of proprietary pre-existing projects that are entirely incompatible with open source copyleft licenses. While your UA Parser script is great, it's most definitely not worth the risk that its use in a pre-existing proprietary project would ‘infect’ all separate and pre-existing code.”

Another participant in the discussion predicted ua-parser-js usage will decline precipitously when the licensing change moves forward:

The change from MIT to AGPL will cause your application to be removed from virtually all credible open source projects and open source and commercial products and SaaS offerings. Or, the existing MIT version of your application will be forked and maintained outside of your control.

Others expressed even stronger disapproval for the licensing change and urged the maintainer to stick with the MIT license.

“For enterprise software companies, the surprise license change from MIT to AGPL is the end for your project -- it will be forked under MIT or simply removed,” GitHub user @TIncorviaITLS commented. “If you value continued control of the project, consider reverting to the MIT license.”

Salman’s most recent comments on GitHub today indicate that he is planning on moving forward with the change. With beta 3 released last week, the update appears to be imminent. Developers who want to continue with the MIT license should ensure they have v1.x of the us-parser-js package installed, or find a suitable fork, as the open source v2.0 will use the AGPL license.

Subscribe to our newsletter

Get notified when we publish new security blog posts!

Try it now

Ready to block malicious and vulnerable dependencies?

Install GitHub AppBook a demo

Related posts

Back to all posts
SocketSocket SOC 2 Logo

Product

Packages

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc