license-checker
Advanced tools
The license-checker npm package is a tool that helps you manage and audit the licenses of the dependencies in your project. It provides detailed information about the licenses of all the packages in your node_modules directory, helping you ensure compliance with open-source license requirements.
List all licenses
This feature allows you to list all the licenses of the dependencies in your project. The code sample initializes the license-checker and prints out the licenses of all the packages found in the specified project directory.
const licenseChecker = require('license-checker');
licenseChecker.init({
start: '/path/to/your/project'
}, function(err, packages) {
if (err) {
console.log(err);
} else {
console.log(packages);
}
});Filter by specific licenses
This feature allows you to filter the dependencies by specific licenses. The code sample initializes the license-checker and filters the packages to only include those with MIT or ISC licenses.
const licenseChecker = require('license-checker');
licenseChecker.init({
start: '/path/to/your/project',
onlyAllow: 'MIT;ISC'
}, function(err, packages) {
if (err) {
console.log(err);
} else {
console.log(packages);
}
});Custom format output
This feature allows you to customize the output format of the license information. The code sample initializes the license-checker and specifies a custom format for the output, including the name, version, licenses, and repository of each package.
const licenseChecker = require('license-checker');
licenseChecker.init({
start: '/path/to/your/project',
customFormat: {
name: '',
version: '',
licenses: '',
repository: ''
}
}, function(err, packages) {
if (err) {
console.log(err);
} else {
console.log(packages);
}
});The license-report package provides a similar functionality to license-checker by generating a report of the licenses of the dependencies in your project. It offers a command-line interface and can output the report in various formats such as JSON, CSV, and plain text. Compared to license-checker, license-report focuses more on generating comprehensive reports.
The npm-license-crawler package crawls through the dependencies of your project and generates a license report. It can be configured to include or exclude specific licenses and can output the report in JSON or CSV format. Compared to license-checker, npm-license-crawler provides more options for customizing the crawling process and the output format.
The license-checker-webpack-plugin is a Webpack plugin that checks the licenses of the dependencies in your project during the build process. It integrates with Webpack and can be configured to fail the build if any disallowed licenses are found. Compared to license-checker, this package is specifically designed for use with Webpack and provides seamless integration with the build process.
As of v17.0.0 the failOn and onlyAllow arguments take semicolons as delimeters instead of commas. Some license names contain
commas and it messed with the parsing
Ever needed to see all the license info for a module and its dependencies?
It's this easy:
npm install -g license-checker
mkdir foo
cd foo
npm install yui-lint
license-checker
You should see something like this:
├─ cli@0.4.3
│ ├─ repository: http://github.com/chriso/cli
│ └─ licenses: MIT
├─ glob@3.1.14
│ ├─ repository: https://github.com/isaacs/node-glob
│ └─ licenses: UNKNOWN
├─ graceful-fs@1.1.14
│ ├─ repository: https://github.com/isaacs/node-graceful-fs
│ └─ licenses: UNKNOWN
├─ inherits@1.0.0
│ ├─ repository: https://github.com/isaacs/inherits
│ └─ licenses: UNKNOWN
├─ jshint@0.9.1
│ └─ licenses: MIT
├─ lru-cache@1.0.6
│ ├─ repository: https://github.com/isaacs/node-lru-cache
│ └─ licenses: MIT
├─ lru-cache@2.0.4
│ ├─ repository: https://github.com/isaacs/node-lru-cache
│ └─ licenses: MIT
├─ minimatch@0.0.5
│ ├─ repository: https://github.com/isaacs/minimatch
│ └─ licenses: MIT
├─ minimatch@0.2.9
│ ├─ repository: https://github.com/isaacs/minimatch
│ └─ licenses: MIT
├─ sigmund@1.0.0
│ ├─ repository: https://github.com/isaacs/sigmund
│ └─ licenses: UNKNOWN
└─ yui-lint@0.1.1
├─ licenses: BSD
└─ repository: http://github.com/yui/yui-lint
An asterisk next to a license name means that it was deduced from an other file than package.json (README, LICENSE, COPYING, ...) You could see something like this:
└─ debug@2.0.0
├─ repository: https://github.com/visionmedia/debug
└─ licenses: MIT*
--production only show production dependencies.--development only show development dependencies.--start [path of the initial json to look for]--unknown report guessed licenses as unknown licenses.--onlyunknown only list packages with unknown or guessed licenses.--json output in json format.--csv output in csv format.--csvComponentPrefix prefix column for component in csv format.--out [filepath] write the data to a specific file.--customPath to add a custom Format file in JSON--exclude [list] exclude modules which licenses are in the comma-separated list from the output--relativeLicensePath output the location of the license files as relative paths--summary output a summary of the license usage',--failOn [list] fail (exit with code 1) on the first occurrence of the licenses of the semicolon-separated list--onlyAllow [list] fail (exit with code 1) on the first occurrence of the licenses not in the semicolon-seperated list--packages [list] restrict output to the packages (package@version) in the semicolon-seperated list--excludePackages [list] restrict output to the packages (package@version) not in the semicolon-seperated list--excludePrivatePackages restrict output to not include any package marked as private--direct look for direct dependencies onlyA list of licenses is the simplest way to describe what you want to exclude.
You can use valid SPDX identifiers.
You can use valid SPDX expressions like MIT OR X11.
You can use non-valid SPDX identifiers, like Public Domain, since npm does
support some license strings that are not SPDX identifiers.
license-checker --json > /path/to/licenses.json
license-checker --csv --out /path/to/licenses.csv
license-checker --unknown
license-checker --customPath customFormatExample.json
license-checker --exclude 'MIT, MIT OR X11, BSD, ISC'
license-checker --packages 'react@16.3.0;react-dom@16.3.0;lodash@4.3.1'
license-checker --excludePackages 'internal-1;internal-2'
license-checker --onlyunknown
The --customPath option can be used with CSV to specify the columns. Note that
the first column, module_name, will always be used.
When used with JSON format, it will add the specified items to the usual ones.
The available items are the following:
You can also give default values for each item. See an example in customFormatExample.json.
var checker = require('license-checker');
checker.init({
start: '/path/to/start/looking'
}, function(err, packages) {
if (err) {
//Handle error
} else {
//The sorted package data
//as an Object
}
});
license-checker uses debug for internal logging. There’s two internal markers:
license-checker:error for errorslicense-checker:log for non-errorsSet the DEBUG environment variable to one of these to see debug output:
$ export DEBUG=license-checker*; license-checker
scanning ./yui-lint
├─ cli@0.4.3
│ ├─ repository: http://github.com/chriso/cli
│ └─ licenses: MIT
# ...
We walk through the node_modules directory with the read-installed module. Once we gathered a list of modules we walk through them and look at all of their package.json's, We try to identify the license with the spdx module to see if it has a valid SPDX license attached. If that fails, we then look into the module for the following files: LICENSE, LICENCE, COPYING, & README.
If one of the those files are found (in that order) we will attempt to parse the license data from it with a list of known license texts. This will be shown with the * next to the name of the license to show that we "guessed" at it.
FAQs
Check license info for a package
We found that license-checker demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Critics call the Node.js EOL CVE a misuse of the system, sparking debate over CVE standards and the growing noise in vulnerability databases.
Security News
cURL and Go security teams are publicly rejecting CVSS as flawed for assessing vulnerabilities and are calling for more accurate, context-aware approaches.
Security News
Bun 1.2 enhances its JavaScript runtime with 90% Node.js compatibility, built-in S3 and Postgres support, HTML Imports, and faster, cloud-first performance.