From now you can find in every project’s page a summary of the licenses involved by the package itself and its dependencies.
Licenses and open-source projects
- Apache 2.0
- And many more…
We are not going to talk about the legal aspect of licenses in this article, but you can find more information about licenses on TL;DR Legal site.
Last year, there were a lot of talks about licensing problems, when Facebook decided to change the license used by some of their most popular projects on GitHub.
In a “corporate” environment, it’s important to consider the licenses applied to the products used to build softwares.
However it’s not easy to check the license applied to a given project: not only the information can be stored in different places across the codebase (README.md, licence.txt, package.json) but also you have to consider all the dependencies of a given package.
For every project tracked we scanned not only the code source but also all dependencies included by the package (the direct dependencies, the dependencies of the dependencies… and so on!)
And by all dependencies, it can be a lot of packages! (see the Create React App example further).
You will find a complete summary of the number of licenses found in the code, sorted by type of license: MIT, ISC, Apache 2.0…
Example number 1: React
Let’s check the “All Licenses” section from the React project page:
This is a pretty simple example. React has direct 4 dependencies. One of these dependencies has a sub-dependency. All the 6 packages have the same license: MIT.
Example number 2: Express
Here is how the licenses about Express (the most popular Node.js framework) are displayed:
The project has 30 direct dependencies but taking into account the sub-dependencies leads to a total of 50 packages.
All but 4 packages are MIT licensed, 2 other licenses were found during the analysis: ISC and BSD 3 Clause.
Example number 3: react-scripts
These 2 examples were simple compared to some of the biggest packages we scanned.
For example `react-scripts` package, used by Create React App project, has 22 different licenses, found in more than 1260 different packages!
How we did it
We used a Node.js tool called Legally, created by Francisco Presencia, to scan all the licenses. Given a package name, Legally runs the installation process in a temporary folder, checks the licenses for all the packages installed on the disk, and generates a report that shows all the licenses found.
We run automatically the scanning process a few hours after a package has been updated in the NPM registry, to show users up-to-date information, as much as possible
We need your feedback!
Reach us on GitHub, thank you for your feedback!