This content originally appeared on Bits and Pieces - Medium and was authored by Dulanka Karunasena
Using license-checker to find NPM dependency licenses
Thanks to NPM and the open-source community, developers can use plenty of external libraries for JavaScript development. But that doesn’t give us the freedom to use anything without considering their copyrights.
So, we should be aware of licensing models of the libraries we use. This article will show you a way to do a quick audit on your NPM dependencies using the license-checker NPM package.
Manual Method
As you already know, all NPM packages have their own licenses, and you can find these licenses inside the package itself in the node_modules directory.
When you go inside node_modules, there is a file named LICENSE in each package that includes the license details. If a LICENSE file is not found, the license should probably be mentioned inside the README file. These licenses explicitly mention the terms and conditions of the package.
The package.json file inside each package also has a property called license, where the value is the type of the license.
However, going through all the packages manually and checking for licenses is a waste of time. There is a high chance you will miss a license among thousands of NPM modules.
Let’s see how we can do a quick audit of all the NPM licenses without getting into much trouble.
Tip: Build & share independent components with Bit
Bit is an ultra-extensible tool that lets you create truly modular applications with independently authored, versioned, and maintained components.
Use it to build modular apps & design systems, author and deliver micro frontends, or simply share components between applications.
Analyzing Licenses in One Go
To analyze all the Node package licenses in a project, I will be using the license-checker module, which is another package available in NPM.
Let’s start by installing the license-checker globally to use it in any project environment.
npm install -g license-checker
Now we will use the license-checker to list all the licenses used by our Node project. Then you can start analyzing the licenses by using the following command.
license-checker
This command will give a list of libraries with licenses and their details such as license type, link to package repo, publisher’s name, email, path to the package, and path to the package license.
When you run the above code, the license-checker will first go through each module in the node_modules directory and look inside the package.json to identify the license.
If the license details are not found, the files named LICENSE, LICENCE, COPYING, and README will be checked. If a license is deduced from one of the above files, it will be indicated by an asterisk(*), next to license type to show that the license name is guessed.
You can also use the following command to get a summary of licenses used across any project.
license-checker --summary
The above summary shows that MIT, ISC, BSD, and Apache-2.0 are the most commonly used licenses found in open-source NPM packages.
You will also find the following flags to be useful when used together with license-checker command.
- --production — Show production dependencies only.
- --development — Show development dependencies only.
- --unknown — Output guessed licenses as UNKNOWN.
- --onlyunknown — List packages with guessed licenses only.
Apart from that, you can get the number of licenses used in your project using license-checker | grep -c ‘licenses:’ command.
Besides, you can make a quick comparison of the number of packages used and the count of licenses by using the npm ls — parseable | wc -l command.
Final Words
NPM provides a vast amount of packages to make our development fast and easy. Even though these dependencies are free and editable, they have licenses bound to protect them in different means. Besides, these licenses state the terms, conditions, and warranties applicable to a specific package.
However, one of the biggest challenges is analyzing the licenses of hundreds of packages or dependencies used in a project. For this, I have used a package named license-checker.
Although there are several other similar packages like legally and npm-license-crawler they are not popular as license-checker.
The license-checker provides a comprehensive breakdown of license details of every NPM package used. Therefore, we don’t need to go through the packages manually to check for the license details.
So, don’t wait anymore; check the licenses of your project dependencies today by following the steps mentioned in the article.
Thank you for Reading.
Learn More
- Understanding the Common Licensing Models in Open Source Projects
- How to Keep NPM Library Versions Up to Date
- JavaScript Dependencies: Everything You Ever Wanted to Know But Were Afraid to Ask
How I Analyzed All NPM Dependency Licenses in One Go was originally published in Bits and Pieces on Medium, where people are continuing the conversation by highlighting and responding to this story.
This content originally appeared on Bits and Pieces - Medium and was authored by Dulanka Karunasena
Dulanka Karunasena | Sciencx (2021-03-31T19:28:08+00:00) How I Analyzed All NPM Dependency Licenses in One Go. Retrieved from https://www.scien.cx/2021/03/31/how-i-analyzed-all-npm-dependency-licenses-in-one-go/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.