TL;DR There are different ways of achieving the necessary results. As one pointed out, the fastest and easiest way is (thanks to new features of npm since I wrote this blog post):
npx license-checker --summaryif you are curious what else I’m into it, I’m trying to write more again here: https://ferit.dev/
Developing software especially with JavaScript is super easy to start with thanks to npm and the fast way of installing packages. Thanks to EU-GDPR and internal discussions I was curious what kind of licenses I’m using and also if there are some conflicts (not compatible with MIT). Here is my first step-by-step guide how you can
a) Check how many packages you have in your node-modules folder
b) what unique licenses you’re using and if there are conflicts.
I’m using here an example project using mainly Preact (via Preact-CLI ). There is also an awesome Tool license-checker which is doing all the major analysis for us already. Therefore, first of all, I recommend installing license-checker
npm i -g license-checker
How many packages are we using?
First of all, I want to see how many packages I have in my node-modules folder. For this I’m creating a file with all the licenses found in our node-modules in my project folder:
license-checker > licenses.txt
There are different ways to check how many libraries/node modules we are using actively (or passively), in this case we can just use grep
grep ‘licenses:' licenses.txt | wc -l
Thanks to the power of the Unix terminal in this case (Mac OS X) we can use grep to catch a specific string from a text file and afterwards use the pipe operator | to pipe the output to the wc(word count) command. With the -l argument we are only counting the lines provided by our grep command. In my case the output showed me 1271 packages.
How do we get all unique licenses?
As we are now familiar with grep and the pipe operator it is handy to use it also for creating a unique set of licenses we are using.
grep ‘licenses:' licenses.txt | sort -u
With the sort command we can easily sort lines of text files in this case with the -u argument we are receiving only unique lines of the text file. The result would like the following Terminal output:
At the end, we have a list of 25 unique entries. As you can already see, some of them are unique, some are just the same with different writing like `Apache-2.0` and `Apache License, Version 2.0`.
Based on that we can do a nice comparison if our own project which is using MIT has dependencies to other libraries which might be not compatible.
As developers, we are often using libraries without having a deeper look into the licenses of the libraries and frameworks we use and with the license-checker library and technically one terminal command we can narrow them to just a few.
Thanks to existing tools there shouldn’t be any excuse for developers to not have a basic check about the licenses consumed.
PS. you can check everything just with one command:
license-checker | grep ‘licenses:' | sort -u
PPS.license-checker --summary is creating a similar overview which might be already enough 😀
