Easily check licenses of your npm dependencies in your CI pipeline

How can we automatically check the licenses in our dependency tree and increase our confidence when we add new dependencies to our project?

Every one of your npm dependencies has a license (e.g. MIT, Apache, or a proprietary license). Further, each of their dependencies have their own licenses (and so on).

Presumably, a dependency with a free-software license shouldn’t depend on something with a proprietary license. But it would be great to automatically check every license in your dependency graph.

The Setup

What I’d like to have is a list of white-listed licenses — that everything in my dependency tree complies with (let’s call this file licenses_whitelist.txt ), e.g.:

MIT
ISC
BSD*
Apache-2.0

I may have purchased proprietary licenses for some of my npm dependencies — I want to exclude them from being checked (let’s call this file packages_exclusionlist.txt ), e.g.:

@some-company/some-package@0.0.1
@some-company/another-package@0.0.1

I want to run a single command in my CI pipeline that consumes the above two lists, my package.json and package-lock.json — and only passes if there are no license violations.

The Solution

To do this I leveraged a wonderful npm package called license-checker.

My lists above translate into two of its arguments:

The white-listed licenses need to be passed into --onlyAllow as a semicolon delimited string.

And the excluded packages need to be passed into --excludePackages as a semicolon delimited string.

Then, all that’s left to do is write a short script to convert our readable lists into arguments to license-checker and call it in our pipeline.

For this, I wrote a simple bash script:

npx license-checker --onlyAllow $(cat licenses_whitelist.txt | paste -sd\;) --excludePackages $(cat packages_exclusionlist.txt | paste -sd\;)

This line can now be inserted into my CI pipeline as a script step. When a dependency is added or updated, this step will ensure all the packages we depend on comply with our white-list above!

Other Considerations

Dev Dependencies?

It may be valuable for you to split the license check into one for your ‘dependencies’ and one for our ‘devDependencies’ — perhaps with different white-lists and exclusion-lists for each.

To do this, you can have two of copies the above step and pass --production for ‘dependencies’, and pass --development for ‘devDependencies’.

Further Reading

There’s a lot more analysis and auditing you can do on the licenses of your dependencies — check some of them out in this article by Ferit T.

There are a lot of software licenses out there — if you come across one you’re unsure about, try searching for it on the Open Source Initiative website.