Gathering detailed insights and metrics for js-green-licenses
Gathering detailed insights and metrics for js-green-licenses
Installations
npm install js-green-licensesDeveloper
Developer Guide
BETA
Module System
CommonJS
Min. Node Version
^12.20.0 || ^14.13.1 || >=16.0.0
Typescript Support
Yes
Node Version
14.21.1
NPM Version
6.14.17
Statistics
178 Stars
174 Commits
27 Forks
4 Watching
22 Branches
12 Contributors
Updated on 30 Oct 2024
Languages
TypeScript (94.86%)
JavaScript (5.14%)
Total Downloads
Cumulative downloads
Total Downloads
1,979,347
Last day
-9.8%
727
Compared to previous day
Last week
39.6%
7,229
Compared to previous week
Last month
-21.9%
25,262
Compared to previous month
Last year
6.9%
390,256
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
8
Versions
JavaScript package.json License Checker
This is not an official Google product.
This is a tool for checking the license of JavaScript projects. It scans the
package.json file to check its license and recursively checks all of its
dependencies.
DISCLAIMER: This tool is NOT a replacement for legal advice or due diligence for your project's license validity. We recommend you consult a lawyer if you want legal advice.
Installation
1npm install [--save-dev] js-green-licenses
If you want to install globally,
1npm install -g js-green-licenses
CLI
usage: jsgl [-h] [-v] [--local <directory>] [--pr <github PR>]
[--dev] [--verbose] [<package or package@version>]
License checker for npm modules
Positional arguments:
<package or package@version>
Package name to check license for. Can include
version spec after @. E.g. foo@^1.2.3. Otherwise
latest.
Optional arguments:
-h, --help Show this help message and exit.
-v, --version Show program's version number and exit.
--local <directory>, -l <directory>
Check a local directory instead of public npm.
--pr <github PR> Check a github pull request. Must be
<owner>/<repo>/pull/<id>
--dev Also check devDependencies.
--verbose Verbose error outputs.
This tool checks licenses for 1) an already published npm package, 2) a local
directory, or 3) a GitHub pull request. For checking an npm package, you can
just pass the package name (optionally together with the version) as the
argument. To check a local directory, you should pass the --local path/to/repo argument. To check for a GitHub PR, you should pass the --pr <owner>/<repo>/pull/<id> argument.
If the tool finds any non-green licenses in the given package or in its dependencies, they will be printed out together with the detailed information.
If you pass --dev, the devDependencies will be checked as well as the
dependencies.
jsgl also checks sub-packages for --local and --pr flags when it
detects that the repository is a monorepo. It assumes a certain directory
structure for detecting whether a repository is a monorepo: the top-level
directory should have the packages directory in it and sub-packages must
exist under that directory. In that case, all the package.json files are
found from sub-packages and jsgl checks all of them.
For example, when a directory foo is like this:
foo
|
+-- packages
| |
| +-- bar
| | |
| | +-- package.json
| | |
| | +-- ...
| |
| +-- baz
| |
| +-- package.json
| |
| +-- ...
|
+-- package.json
|
+-- ...
, jsgl checks all of foo/package.json, foo/packages/bar/package.json,
and foo/packages/baz/package.json.
Configurations
You can customize how jsgl works with the configuration file, named
js-green-licenses.json. For example, you can specify the license list that
you would like to consider green. The license IDs must be listed in the
greenLicenses section of the configuration file. In that case, jsgl will
use that custom list instead of its default list.
The default green license list is:
1const DEFAULT_GREEN_LICENSES = [ 2 '0BSD', 'AFL-2.1', 'AFL-3.0', 'APSL-2.0', 'Apache-1.1', 3 'Apache-2.0', 'Artistic-1.0', 'Artistic-2.0', 'BSD-2-Clause', 'BSD-3-Clause', 4 'BSL-1.0', 'CC-BY-1.0', 'CC-BY-2.0', 'CC-BY-2.5', 'CC-BY-3.0', 5 'CC-BY-4.0', 'CC0-1.0', 'CDDL-1.0', 'CDDL-1.1', 'CPL-1.0', 6 'EPL-1.0', 'FTL', 'IPL-1.0', 'ISC', 'LGPL-2.0', 7 'LGPL-2.1', 'LGPL-3.0', 'LPL-1.02', 'MIT', 'MPL-1.0', 8 'MPL-1.1', 'MPL-2.0', 'MS-PL', 'NCSA', 'OpenSSL', 9 'PHP-3.0', 'Ruby', 'Unlicense', 'W3C', 'Xnet', 10 'ZPL-2.0', 'Zend-2.0', 'Zlib', 'libtiff', 11];
You can also allowlist some npm packages and they will be considered "green"
even when they have non-green licenses or no licenses. It's useful when
jsgl is unable to verify the validness of a certain package's license for
some reason. For example, when a package doesn't specify its license in its
package.json but has a separate LICENSE file, jsgl can't verify that.
You can allowlist that package to make jsgl not complain about that
package.
A typical configuration file looks like this:
1{ 2 "greenLicenses": [ 3 // Custom green licenses. 4 "Apache-2.0", 5 "MIT", 6 "BSD-3-Clause", 7 ... 8 ], 9 "packageAllowlist": [ 10 /* packages considered ok */ 11 "foo", 12 "bar", // inline comment 13 "package-with-no-license", 14 "package-with-okish-license", 15 ... 16 ] 17}
The greenLicenses section is for the custom license list and the
packageAllowlist section is for the package allowlist.
Note that comments are allowed in js-green-licenses.json.
The configuration file must be located in the top-level directory of a
repository for --local and --pr. When checking remote npm packages,
jsgl tries to locate the configuration file in the current local directory
from which jsgl is invoked.
It is desirable that the license names in the greenLicenses section be
valid license IDs defined in https://spdx.org/licenses/ whenever possible.
Interface as a Library
You can also use js-green-licenses as a library as well as a command-line
utility. Usually the LicenseChecker class is the only one you would have to
use.
Instantiation
1const opts = { 2 dev: false, 3 verbose: true, 4}; 5const checker = new LicenseChecker(opts);
Both the dev and the verbose fields are optional and default to false.
When dev is true, the devDependencies section is checked as well as the
dependencies section of package.json. When verbose is true, jsgl
generates more verbose output.
Use in Gulp
1const jsgl = require('js-green-licenses'); 2 3gulp.task('check_licenses', function() { 4 const checker = new jsgl.LicenseChecker({ 5 dev: true, 6 verbose: false, 7 }); 8 checker.setDefaultHandlers(); 9 return checker.checkLocalDirectory('.'); 10});
Methods
-
LicenseChecker#setDefaultHandler()1setDefaultHandlers(): void;Sets the default event handlers that are used by the CLI. For events emitted by
LicenseChecker, see the Events subsection. -
LicenseChecker#checkLocalDirectory()1checkLocalDirectory(directory: string): Promise<void>;This provides the functionality of the CLI when the
--localflag is passed. It finds and checks thepackage.jsonfile in thedirectoryand recursively checks its dependencies. This method also detects monorepos and checks sub-packages as well, as explained in the CLI section above.This method reads in the configuration from the
js-green-licenses.jsonfile in thedirectory, if it exists. -
LicenseChecker#checkRemotePackage()1checkRemotePackage(pkg: string): Promise<void>;This provides the functionality of the CLI when neither
--localor--pris passed. It retrieves and checks thepackage.jsonfor the remote npm package and recursively checks its dependencies.This method reads in the configuration from the
js-green-licenses.jsonfile in the current directory of the Node.js process. -
LicenseChecker#checkGitHubPR()1checkGitHubPR(repo: GitHubRepository, mergeCommitSha): Promise<void>;This provides the functionality of the CLI when the
--prflag is passed. It retrieves thepackage.jsonfile from the GitHub repository at the given commit SHA and checks its license and recursively checks its dependencies. This method also detects monorepos and checks sub-packages as well, as explained in the CLI section above.This method reads in the configuration from the
js-green-licenses.jsonfile in the repository, if it exists.GitHubRepositoryis a helper class for interacting with the GitHub API. You can create its instance by callingLicenseChecker#prPathToGitHubRepoAndId(). -
LicenseChecker#prPathToGitHubRepoAndId()1prPathToGitHubRepoAndId(prPath: string): { 2 repo: GitHubRepository; 3 prId: string; 4};prPathmust be in the form,<owner>/<repo>/pull/<id>. This method will return theGitHubRepositoryinstance and the PR id for theprPath.
Events
A LicenseChecker object emits following events during its processing.
-
non-green-licenseEmitted when a package with a non-green license is detected. The argument is1interface NonGreenLicense { 2 packageName: string; 3 version: string; 4 licenseName: string|null; 5 parentPackages: string[]; 6} -
package.jsonEmitted for eachpackage.jsonfile being checked. This is emitted only when checking local repositories or GitHub repositories, but not when checking remote packages.The argument is a file path string of the corresponding
package.jsonfile. -
endEmitted when the processing is done. No argument is given. -
errorEmitted when an error occurrs while processing. The argument is1interface CheckError { 2 err: Error; 3 packageName: string; 4 versionSpec: string; 5 parentPackages: string[]; 6}
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/google/.github/SECURITY.md:1
- Info: Found linked content: github.com/google/.github/SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/google/.github/SECURITY.md:1
- Info: Found text in security policy: github.com/google/.github/SECURITY.md:1
Reason
Found 15/21 approved changesets -- score normalized to 7
Reason
7 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j
- Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
Reason
dependency not pinned by hash detected -- score normalized to 2
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/google/js-green-licenses/ci.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/google/js-green-licenses/ci.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/google/js-green-licenses/ci.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/google/js-green-licenses/ci.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/google/js-green-licenses/ci.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/google/js-green-licenses/ci.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/google/js-green-licenses/ci.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/google/js-green-licenses/ci.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yaml:9: update your workflow using https://app.stepsecurity.io/secureworkflow/google/js-green-licenses/release.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yaml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/google/js-green-licenses/release.yaml/main?enable=pin
- Info: 0 out of 10 GitHub-owned GitHubAction dependencies pinned
- Info: 4 out of 4 npmCommand dependencies pinned
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/ci.yaml:1
- Warn: no topLevel permission defined: .github/workflows/release.yaml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 30 are checked with a SAST tool
Score
4.6
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More