licensee

Check npm package dependency license metadata against rules.

Configuration

Licensee accepts two kinds of configuration:

1. a rule about permitted licenses
2. a package whitelist of name-and-range pairs

You can set configuration with command flags or a .licensee.json file at the root of your package, like so:

{ "license": "(MIT OR BSD-2-Clause OR BSD-3-Clause OR Apache-2.0)",
  "whitelist": { "optimist": "<=0.6.1" } }

The license property is an SPDX license expression that spdx-expression-parse can parse. Any package with standard license metadata that satisfies the SPDX license expression according to spdx-satisfies will not cause an error.

The whitelist is a map from package name to a node-semver Semantic Versioning range. Packages whose license metadata don't match the SPDX license expression in license but have a name and version described in whitelist will not cause an error.

Use

To install and use licensee globally:

npm install --global licensee
cd your-package
licensee

The licensee script will exit with status 0 when all packages in ./node_modules meet the configured licensing criteria and 1 when one or more do not.

To install it as a development dependency of your package:

cd your-package
npm install --save-dev licensee

Consider adding licensee to your npm scripts:

{ "scripts": { "posttest": "licensee" } }

If you want a readout of license problems, but don't want your continuous integration going red, you can ignore licensee's exit code:

{ "scripts": { "posttest": "licensee || true" } }

JavaScript Module

The package exports an asynchronous function of three arguments:

1. A configuration object in the same form as .licensee.json.

2. The path of the package to check.

3. An error-first callback that yields an array of objects describing licensing issues.