Security News
The Hidden Blast Radius of the Axios Compromise
The Axios compromise shows how time-dependent dependency resolution makes exposure harder to detect and contain.
By Ahmad Nassri - Apr 01, 2026
New Research: Supply Chain Attack on Axios Pulls Malicious Dependency from npm.Details → →
liblice
liblice is a module to detect licenses throughout your entire installed dependency tree.
liblice
liblice is a module to detect licenses throughout your entire installed dependency tree.
liblice crawls node_modules, fetches all package.json files, and parses them. It can return the data it fetches in a few different ways, depending on how you want to consume it.
Installation
npm install liblice
Usage
list Output
Returns an array of all licenses – plus any invalid licenses – within the node modules of the passed directory.
const { list } = require('liblice')
list('.') // where the current working directory has node_modules
modules Output
Returns an object of all modules, their license expression, the path to the module, their version, their author, and their conformance information.
const { modules } = require('liblice')
modules('.') // where the current working directory has node_modules
licenses Output
Returns an object the names of every license as a key, with the value being an object of objects that includes:
- All packages that use the license
- Conformance information for that license
- Total number of occurrences of the license
const { licenses } = require('liblice')
licenses('.') // where the current working directory has node_modules
What is Conformance Information
Conformance information is information that could be useful in the context of license conformance. Specifically, information included is a full list of all individual license IDs in the license expression (often this is identical to the license expression itself, but sometimes it's not), the links to the SPDX-hosted versions of the included licenses, and information that mirrors what can be found in the SPDX license list:
- The
osiproperty, which indicates if all licenses in the license expression are OSI compliant - The
fsfproperty, which indicates if all licenses in the license expression are FSF compliant - The
fsfAndOSIproperty, which indicates if all licenses in the license expression are both OSI and FSF compliant - The
includesDeprecatedproperty, which indicates if one or more licenses in the license expression are deprecated IDs.
Caveats
Currently, liblice excludes searching any directory in node_modules that includes /.bin/ since it is a problematic directory and doesn't actually add any value that is not already otherwise derived.
TODOs
- Perhaps detect pacakge.json in passed path as validation?
- Tests. Always tests.
FAQs
liblice is a module to detect licenses throughout your entire installed dependency tree.
We found that liblice demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 21 Nov 2019
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
Supply Chain Attack on Axios Pulls Malicious Dependency from npm
A supply chain attack on Axios introduced a malicious dependency, plain-crypto-js@4.2.1, published minutes earlier and absent from the project’s GitHub releases.
By Socket Research Team - Mar 31, 2026
Research
TeamPCP Compromises Telnyx Python SDK to Deliver Credential-Stealing Malware
Malicious versions of the Telnyx Python SDK on PyPI delivered credential-stealing malware via a multi-stage supply chain attack.
By Socket Research Team - Mar 27, 2026