Security News
Maven Central Adds Sigstore Signature Validation
Maven Central now validates Sigstore signatures, making it easier for developers to verify the provenance of Java packages.
By Sarah Gooding - Feb 06, 2025
New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
license-downloader
Advanced tools
license-downloader - an add-on to license-report tool
Download the license files of the dependencies of a project based on the json report from the package 'license-report'.
Install
npm install license-downloader
Usage
'license-downloader' uses the github REST API to find the location of the license files of the project (dev-) dependencies. The license file location does not depend on the package version. Details about how the license file is detected can be found in licensee/licensee > What we look at and licensee/licensee > README.
Optionally it downloads these files to a given directory.
Usage with downloading the license files:
cd your/project/
npx license-report > ./license-report.json
npx license-downloader --source ./license-report.json --licDir ./license-files --download
A copy of the 'license-report.json' file with properties 'licenseFileLink' added is saved to the './license-files' directory (defined in option --licDir). The downloaded licenses are save in a subdirectory named 'licenses' in the directory defined in --licDir.
If option --licDir is missing, the modified 'license-report.json' file and the 'licenses' subdirectory are written to the path of the source file.
Usage without downloading the license files:
cd your/project/
npx license-report > ./license-report.json
npx license-downloader --source ./license-report.json
The copy of the 'license-report.json' file with properties 'licenseFileLink' added is saved to the directory of the source file.
Authorization in GitHub
License-downloader uses the github api to collect information about the license file of a project. If the rate limit for anonymous access to this api is exceeded (60 accesses per hour) you will get warnings like this:
kessler/node-tableify: License query failed. Rate limit of 60 requests per hour exceeded. please wait 1534 seconds before trying again.
caolan/async: License query failed. Rate limit of 60 requests per hour exceeded. please wait 1534 seconds before trying again.
To avoid this problem you can use a github personal access token to use the higher limits of your personal github plan. As an alternative you can use fine-grained access tokens; details can be found in the github documentation for "Get the license for a repository".
There are 2 possibilities:
use a file (recommended)
write the github token, generated in your github developer settings, to a file.
The full path to this file is written to an environment variable and the name of this environment variable is set in the config parameter 'githubToken.tokenFileEnvVar':
export GITHUB_TOKEN_FILE=/run/secrets/github_pat.txt
cd your/project/
npx license-report > ./license-report.json
npx license-downloader --source ./license-report.json --licDir ./license-files --githubToken.tokenFileEnvVar GITHUB_TOKEN_FILE --download
This is the most secure variant, as access rights can be and should be set for this file to prevent unauthorized access.
use an environment variable
Generate a github token in your github developer settings and write it to an environment variable.
If the environment variable name is GITHUB_TOKEN, then it will be used automatically.
If you want to use another environment variable, you can set it with the parameter --githubToken.tokenEnvVar.
Examples:
export GITHUB_TOKEN=yourgithubtoken
cd your/project/
npx license-report > ./license-report.json
npx license-downloader --source ./license-report.json --licDir ./license-files --download
Or with a different environment variable name:
export MY_GITHUB_TOKEN=yourgithubtoken
cd your/project/
npx license-report > ./license-report.json
npx license-downloader --source ./license-report.json --licDir ./license-files --githubToken.tokenEnvVar MY_GITHUB_TOKEN --download
Show debug log
Use in linux shell
export DEBUG=license-downloader
or in windows command line
SET DEBUG=license-downloader
Development
This repo uses standard-changelog to create the CHANGELOG. To ensure that the commit messages follow the standard-changelog rules, husky is used for git hooks.
To initialize the git hooks after checking out the repo, run npx husky install.
Allowed types for commit messages are:
- build
- ci
- docs
- feat
- fix
- perf
- refactor
- release
- revert
- style
- test
Allowed scopes are:
- app
- hacks
- tools
FAQs
Download the license files of the dependencies of a project
The npm package license-downloader receives a total of 0 weekly downloads. As such, license-downloader popularity was classified as not popular.
We found that license-downloader demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Package last updated on 17 Sep 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
38% of CISOs Fear They’re Not Moving Fast Enough on AI
CISOs are racing to adopt AI for cybersecurity, but hurdles in budgets and governance may leave some falling behind in the fight against cyber threats.
By Sarah Gooding - Feb 04, 2025
Research
Security News
Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
Socket researchers uncovered a backdoored typosquat of BoltDB in the Go ecosystem, exploiting Go Module Proxy caching to persist undetected for years.
By Kirill Boychenko - Feb 04, 2025