Check Licenses

A simple tool to check all the licenses in your dependencies:

• Find all dependencies and their sub-dependencies in your project
• Validate both the package.json and the LICENSE file per dependency
• Only reads dependencies and not devDependencies
• Uses package-lock.json for deterministic resolution
• Handles multiple versions of the same library just fine

Getting started

You can either use npx check-licenses, or install this library globally and then run it at once:

1npm i check-licenses -g
2licenses   # Note how this is just `licenses`
3licenses --list
4licenses --help
5
6# Or use the library straight from npm
7npx check-licenses
8npx check-licenses --list
9npx check-licenses --help
10npx --yes check-licenses   # To avoid being asked to install it, e.g. in a CI

The main command will trigger a license summary:

1$ licenses
2MIT —————————————————— 56
3ISC —————————————————— 7
4CC0-1.0 —————————————— 4
5BSD-2-Clause ————————— 2
6Apache-1.0 ——————————— 2
7Apache-2.0 ——————————— 2
8CC-BY-3.0 ———————————— 1

If you want to dig deeper and see which package uses what license, use the --list flag.

Show the licenses used

The base command is to count how many licenses of each type are in use:

1$ licenses
2MIT —————————————————— 1328
3ISC —————————————————— 113
4CC0-1.0 —————————————— 36
5BSD-3-Clause ————————— 36
6Apache-2.0 ——————————— 5
7BSD-2-Clause ————————— 3
8Zlib ————————————————— 1
9CC-BY-3.0 ———————————— 1
10GPL-2.0 —————————————— 1

List all dependencies

This can be used to find out what each of our dependencies (direct and indirect) is using. It might list multiple licenses in a single package:

1$ licenses --list
2...
3test-exclude@5.2.3 ————————————— ISC
4text-table@0.2.0 ——————————————— MIT
5textarea-caret@3.0.2 ——————————— MIT
6throat@4.1.0 ——————————————————— MIT
7through@2.3.8 —————————————————— Apache-2.0 + MIT
8through2@2.0.5 ————————————————— MIT
9thunky@1.1.0 ——————————————————— MIT
10timers-browserify@2.0.11 ——————— MIT
11...

This list is normally quite long, but it can be easily grep-ed. For example, to find all of the Apache-2.0 licenses:

1$ licenses --list | grep Apache-2.0
2fb-watchman@2.0.1 —————————————— Apache-2.0
3forever-agent@0.6.1 ———————————— Apache-2.0
4formik@2.1.5 ——————————————————— Apache-2.0 + MIT
5harmony-reflect@1.6.1 —————————— Apache-2.0 + MPL-1.1
6human-signals@1.1.1 ———————————— Apache-2.0

If there are multiple licenses in a library it's marked with a +. You can indeed also grep that!

1$ licenses --list | grep +
2...
3are-we-there-yet@1.1.5 ————————— ISC + MIT
4atob@2.1.2 ————————————————————— Apache-2.0 + MIT
5detect-node@2.0.4 —————————————— ISC + MIT
6electron-to-chromium@1.3.534 ——— ISC + MIT
7formik@2.1.5 ——————————————————— Apache-2.0 + MIT
8fs.realpath@1.0.0 —————————————— ISC + MIT
9harmony-reflect@1.6.1 —————————— Apache-2.0 + MPL-1.1
10json-schema@0.2.3 —————————————— AFLv2.1 + BSD
11killable@1.0.1 ————————————————— ISC + MIT
12lodash-es@4.17.15 —————————————— CC0-1.0 + MIT
13lodash.memoize@4.1.2 ——————————— CC0-1.0 + MIT
14...

Finding bad licenses

Let's say you run this tool and find the dependencies, of which you really don't want to follow CC-BY-3.0:

1$ licenses
2DOC —————————————————— 56
3MIT —————————————————— 56
4ISC —————————————————— 7
5CC0-1.0 —————————————— 4
6BSD-2-Clause ————————— 2
7Apache-1.0 ——————————— 2
8Apache-2.0 ——————————— 2
9CC-BY-3.0 ———————————— 1

Then you can also use it to track down which dependencies have this license:

1$ licenses --list | grep CC-BY-3.0
2spdx-exceptions@2.3.0 ——————— CC-BY-3.0

With this information you can either:

• Dig deeper: some times it might be dual-licensed
• Find out where this comes from with npm ls:

1$ npm ls spdx-exceptions
2check-licenses@0.2.0 /home/francisco/check-licenses
3└─┬ meow@8.0.0
4  └─┬ normalize-package-data@3.0.0
5    └─┬ validate-npm-package-license@3.0.4
6      └─┬ spdx-expression-parse@3.0.1
7        └── spdx-exceptions@2.3.0