licensee - npm Package Compare versions

Comparing version 0.2.0 to 1.0.0

package.json

 {
   "name": "licensee",
-  "description": "check npm package licenses against a set of rules",
-  "version": "0.2.0",
-  "author": {
-    "name": "Kyle E. Mitchell",
-    "email": "kyle@kemitchell.com",
-    "url": "http://kemitchell.com"
-  },
-  "bin": "./bin/licensee",
-  "bugs": "https://github.com/jslicense/licensee.js/issues",
+  "description": "check dependency licenses against rules",
+  "version": "1.0.0",
+  "author": "Kyle E. Mitchell <kyle@kemitchell.com> (https://kemitchell.com/)",
   "dependencies": {
-    "cli-table": "^0.3.1",
-    "docopt": "0.6.2",
-    "read-installed": "4.0.0",
-    "spdx": "0.4.0"
+    "read-package-tree": "^5.1.2",
+    "semver": "^5.1.0",
+    "spdx-expression-validate": "^1.0.1",
+    "spdx-satisfies": "^0.1.3",
+    "tv4": "^1.2.7"
   },
+  "bin": "./licensee",
+  "files": [
+    "LICENSE",
+    "NOTICE",
+    "configuration-schema.json",
+    "index.js",
+    "licensee"
+  ],
   "devDependencies": {
-    "jscs": "1.13.1",
-    "jshint": "2.7.0",
-    "tap": "1.0.2",
-    "temp": "0.8.1"
+    "tap": "^5.4.2"
   },
-  "homepage": "https://github.com/jslicense/licensee.js",
-  "keywords": [
-    "SPDX",
-    "audit",
-    "law",
-    "legal",
-    "license",
-    "metadata",
-    "package"
-  ],
   "license": "Apache-2.0",
-  "main": "source/index.js",
   "repository": "jslicense/licensee.js",
   "scripts": {
-    "lint": "jshint source test && jscs source test",
-    "precommit": "npm run lint && npm run test",
-    "test": "tap test/*.test.js"
+    "test": "tap tests/**/test.js"
   }
 }

README.md

@@ -1,31 +0,67 @@
-licensee.js
-===========
+Check dependency licenses against rules.
 
-[![npm version](https://img.shields.io/npm/v/licensee.svg)](https://www.npmjs.com/package/licensee)
-[![license](https://img.shields.io/badge/license-Apache--2.0-303284.svg)](http://www.apache.org/licenses/LICENSE-2.0)
-[![build status](https://img.shields.io/travis/jslicense/licensee.js.svg)](http://travis-ci.org/jslicense/licensee.js)
+# Configuration
 
-Check npm package licenses against a set of rules.
+Create a `.licensee.json` file at the root of your package. Here is an example.
 
-At the command line:
+```json
+{ "license": "(MIT OR BSD-2-Clause OR BSD-3-Clause OR ISC OR Apache-2.0)",
+  "whitelist": {
+    "optimist": "<=0.6.1" } }
+```
 
+The `license` property is an SPDX license expression that
+[spdx-expression-parse][parse] can parse. Any package with [standard
+license metadata][metadata] that satisfies the SPDX license expression
+according to [spdx-satisfies][satisfies] will not cause an error.
+
+[parse]: https://www.npmjs.com/package/spdx-expression-parse
+[satisfies]: https://www.npmjs.com/package/spdx-satisfies
+
+The `whitelist` is a map from package name to a [node-semver][semver]
+Semantic Versioning range. Packages whose license metadata don't match
+the SPDX license expression in `license` but have a name and version
+described in `whitelist` will not cause an error.
+
+[metadata]: https://docs.npmjs.com/files/package.json#license
+[semver]: https://www.npmjs.com/package/semver
+
+# Use
+
+To install and use `licensee` globally:
+
 ```bash
-npm --global install licensee
-cd /your/package/path
+npm install --global licensee
+cd your-package
 licensee
 ```
 
-With Node.js:
+The `licensee` script will exit with status `0` when all packages in
+`./node_modules` meet the configured licensing criteria and `1` when
+one or more do not.
 
-```js
-var licensee = require('licensee');
-var path = '/your/package/path';
-var configuration = {
-  link: '(MIT OR ISC OR Apache-2.0)'
-};
-licensee(path, configuration, function(error, problems) {
-  console.error(problems);
-});
+To install it as a development dependency of your package:
+
+```bash
+cd your-package
+npm install --save-dev licensee
 ```
 
-`licensee` checks `license` properties in `package.json` metadata. Licensing of packages with `private: true` is ignored.
+Consider adding `licensee` to your npm scripts:
+
+```json
+{ "scripts": {
+    "test": "...",
+    "posttest": "licensee" } }
+```
+
+# JavaScript Module
+
+The package exports an asynchronous function of three arguments:
+
+1. A configuration object in the same form as `.licensee.json`.
+
+2. The path of the package to check.
+
+3. An error-first callback that yields an array of objects describing
+   licensing issues.

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

No bug tracker

Maintenance

Package does not have a linked bug tracker in package.json.

Found 1 instance in 1 package

No website

Quality

Package does not have a website.

Found 1 instance in 1 package

Unidentified License

License

(Experimental) Something that seems like a license was found, but its contents could not be matched with a known license.

Found 2 instances in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 1 instance in 1 package

No v1

Quality

Package is not semver >=1. This means it is not stable and does not support ^ ranges.

Found 1 instance in 1 package

Unidentified License

License

(Experimental) Something that seems like a license was found, but its contents could not be matched with a known license.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

17711

increased by19.35%

Dev dependency count

1

decreased by-75%

Number of lines in readme file

68

increased by112.5%

Number of low supply chain risk alerts

1

decreased by-50%

Worsened metrics

Dependency count

5

increased by25%

Number of low license alerts

2

increased by100%

Lines of code

62

decreased by-50%

Number of medium supply chain risk alerts

1

increased byInfinity%

Dependency changes

• + Addedread-package-tree@^5.1.2

• + Addedsemver@^5.1.0

• + Addedspdx-expression-validate@^1.0.1

• + Addedspdx-satisfies@^0.1.3

• + Addedtv4@^1.2.7

• + Addedarray-buffer-byte-length@1.0.1(transitive)

• + Addedarray.prototype.reduce@1.0.7(transitive)

• + Addedarraybuffer.prototype.slice@1.0.3(transitive)

• + Addedavailable-typed-arrays@1.0.7(transitive)

• + Addedcall-bind@1.0.7(transitive)

• + Addeddata-view-buffer@1.0.1(transitive)

• + Addeddata-view-byte-length@1.0.1(transitive)

• + Addeddata-view-byte-offset@1.0.0(transitive)

• + Addeddefine-data-property@1.1.4(transitive)

• + Addeddefine-properties@1.2.1(transitive)

• + Addedes-abstract@1.23.3(transitive)

• + Addedes-array-method-boxes-properly@1.0.0(transitive)

• + Addedes-define-property@1.0.0(transitive)

• + Addedes-errors@1.3.0(transitive)

• + Addedes-object-atoms@1.0.0(transitive)

• + Addedes-set-tostringtag@2.0.3(transitive)

• + Addedes-to-primitive@1.2.1(transitive)

• + Addedfor-each@0.3.3(transitive)

• + Addedfunction.prototype.name@1.1.6(transitive)

• + Addedfunctions-have-names@1.2.3(transitive)

• + Addedget-intrinsic@1.2.4(transitive)

• + Addedget-symbol-description@1.0.2(transitive)

• + Addedglobalthis@1.0.4(transitive)

• + Addedgopd@1.0.1(transitive)

• + Addedhas-bigints@1.0.2(transitive)

• + Addedhas-property-descriptors@1.0.2(transitive)

• + Addedhas-proto@1.0.3(transitive)

• + Addedhas-symbols@1.0.3(transitive)

• + Addedhas-tostringtag@1.0.2(transitive)

• + Addedinternal-slot@1.0.7(transitive)

• + Addedis-array-buffer@3.0.4(transitive)

• + Addedis-bigint@1.0.4(transitive)

• + Addedis-boolean-object@1.1.2(transitive)

• + Addedis-callable@1.2.7(transitive)

• + Addedis-data-view@1.0.1(transitive)

• + Addedis-date-object@1.0.5(transitive)

• + Addedis-negative-zero@2.0.3(transitive)

• + Addedis-number-object@1.0.7(transitive)

• + Addedis-regex@1.1.4(transitive)

• + Addedis-shared-array-buffer@1.0.3(transitive)

• + Addedis-string@1.0.7(transitive)

• + Addedis-symbol@1.0.4(transitive)

• + Addedis-typed-array@1.1.13(transitive)

• + Addedis-weakref@1.0.2(transitive)

• + Addedisarray@2.0.5(transitive)

• + Addedobject-inspect@1.13.3(transitive)

• + Addedobject-keys@1.1.1(transitive)

• + Addedobject.assign@4.1.5(transitive)

• + Addedobject.getownpropertydescriptors@2.1.8(transitive)

• + Addedpossible-typed-array-names@1.0.0(transitive)

• + Addedread-package-tree@5.3.1(transitive)

• + Addedregexp.prototype.flags@1.5.3(transitive)

• + Addedsafe-array-concat@1.1.2(transitive)

• + Addedsafe-regex-test@1.0.3(transitive)

• + Addedsemver@5.7.2(transitive)

• + Addedset-function-length@1.2.2(transitive)

• + Addedset-function-name@2.0.2(transitive)

• + Addedside-channel@1.0.6(transitive)

• + Addedspdx-compare@0.1.2(transitive)

• + Addedspdx-expression-parse@1.0.4(transitive)

• + Addedspdx-expression-validate@1.0.2(transitive)

• + Addedspdx-ranges@1.0.1(transitive)

• + Addedspdx-satisfies@0.1.3(transitive)

• + Addedstring.prototype.trim@1.2.9(transitive)

• + Addedstring.prototype.trimend@1.0.8(transitive)

• + Addedstring.prototype.trimstart@1.0.8(transitive)

• + Addedtv4@1.3.0(transitive)

• + Addedtyped-array-buffer@1.0.2(transitive)

• + Addedtyped-array-byte-length@1.0.1(transitive)

• + Addedtyped-array-byte-offset@1.0.2(transitive)

• + Addedtyped-array-length@1.0.6(transitive)

• + Addedunbox-primitive@1.0.2(transitive)

• + Addedutil-promisify@2.1.0(transitive)

• + Addedwhich-boxed-primitive@1.0.2(transitive)

• + Addedwhich-typed-array@1.1.15(transitive)

• - Removedcli-table@^0.3.1

• - Removeddocopt@0.6.2

• - Removedread-installed@4.0.0

• - Removedspdx@0.4.0

• - Removedcli-table@0.3.11(transitive)

• - Removedcolors@1.0.3(transitive)

• - Removeddocopt@0.6.2(transitive)

• - Removedgraceful-fs@3.0.12(transitive)

• - Removednatives@1.1.6(transitive)

• - Removedread-installed@4.0.0(transitive)

• - Removedsemver@4.3.6(transitive)

• - Removedslide@1.1.6(transitive)

• - Removedspdx@0.4.0(transitive)

• - Removedspdx-license-ids@1.2.2(transitive)

• - Removedutil-extend@1.0.3(transitive)