Checking the licenses of 1200 JavaScript packages

We checked the licenses used by the 1200 NPM packages tracked by Best of JavaScript, taking into account the deep tree of dependencies.

Best of JavaScript is a curated list of the most popular open-source projects related to the web platform and Node.js, updated every day with data from GitHub.

From now you can find in every project’s page a summary of the licenses involved by the package itself and its dependencies.

Licenses and open-source projects

All the projects tracked in Best of JavaScript are available on GitHub and are open-source. However, these projects are licensed in several different ways:

  • MIT
  • ISC
  • Apache 2.0
  • And many more…

We are not going to talk about the legal aspect of licenses in this article, but you can find more information about licenses on TL;DR Legal site.

Last year, there were a lot of talks about licensing problems, when Facebook decided to change the license used by some of their most popular projects on GitHub.

In a “corporate” environment, it’s important to consider the licenses applied to the products used to build softwares.

However it’s not easy to check the license applied to a given project: not only the information can be stored in different places across the codebase (README.md, licence.txt, package.json) but also you have to consider all the dependencies of a given package.

That’s we why we thought it could be useful to provide information about the licenses of the projects we track in Best of JavaScript.

Displaying licenses in Best of JavaScript

For every project tracked we scanned not only the code source but also all dependencies included by the package (the direct dependencies, the dependencies of the dependencies… and so on!)

And by all dependencies, it can be a lot of packages! (see the Create React App example further).

Now we display data about licenses for all NPM packages tracked in Best of JavaScript, under a new section called “All Licenses”.

You will find a complete summary of the number of licenses found in the code, sorted by type of license: MIT, ISC, Apache 2.0…

Example number 1: React

Let’s check the “All Licenses” section from the React project page:

This is a pretty simple example. React has direct 4 dependencies. One of these dependencies has a sub-dependency. All the 6 packages have the same license: MIT.

Example number 2: Express

Here is how the licenses about Express (the most popular Node.js framework) are displayed:

The project has 30 direct dependencies but taking into account the sub-dependencies leads to a total of 50 packages.

All but 4 packages are MIT licensed, 2 other licenses were found during the analysis: ISC and BSD 3 Clause.

Example number 3: react-scripts

These 2 examples were simple compared to some of the biggest packages we scanned.

For example `react-scripts` package, used by Create React App project, has 22 different licenses, found in more than 1260 different packages!

How we did it

We track in Best of JavaScript more that 1200 NPM packages, used for front-end and back-end development: libraries, frameworks, testing tools…

We used a Node.js tool called Legally, created by Francisco Presencia, to scan all the licenses. Given a package name, Legally runs the installation process in a temporary folder, checks the licenses for all the packages installed on the disk, and generates a report that shows all the licenses found.

We run automatically the scanning process a few hours after a package has been updated in the NPM registry, to show users up-to-date information, as much as possible

We need your feedback!

Check the licenses of your favourite project on Best of JavaScript and let us know what you think of this new feature.

Reach us on GitHub, thank you for your feedback!