This package parses SPDX license expression strings describing license terms, like package.json license strings, into consistently structured ECMAScript objects. The npm command-line interface depends on this package, as do many automatic license-audit tools.

In a nutshell:

1var parse = require('spdx-expression-parse')
2var assert = require('assert')
3
4assert.deepEqual(
5  // Licensed under the terms of the Two-Clause BSD License.
6  parse('BSD-2-Clause'),
7  {license: 'BSD-2-Clause'}
8)
9
10assert.throws(function () {
11  // An invalid SPDX license expression.
12  // Should be `Apache-2.0`.
13  parse('Apache 2')
14})
15
16assert.deepEqual(
17  // Dual licensed under either:
18  // - LGPL 2.1
19  // - a combination of Three-Clause BSD and MIT
20  parse('(LGPL-2.1 OR BSD-3-Clause AND MIT)'),
21  {
22    left: {license: 'LGPL-2.1'},
23    conjunction: 'or',
24    right: {
25      left: {license: 'BSD-3-Clause'},
26      conjunction: 'and',
27      right: {license: 'MIT'}
28    }
29  }
30)

The syntax comes from the Software Package Data eXchange (SPDX), a standard from the Linux Foundation for shareable data about software package license terms. SPDX aims to make sharing and auditing license data easy, especially for users of open-source software.

The bulk of the SPDX standard describes syntax and semantics of XML metadata files. This package implements two lightweight, plain-text components of that larger standard:

1. The license list, a mapping from specific string identifiers, like Apache-2.0, to standard form license texts and bolt-on license exceptions. The spdx-license-ids and spdx-exceptions packages implement the license list. spdx-expression-parse depends on and require()s them.

   Any license identifier from the license list is a valid license expression:

   1var identifiers = []
   2  .concat(require('spdx-license-ids'))
   3  .concat(require('spdx-license-ids/deprecated'))
   4  .filter(function (id) { return id[id.length - 1] !== '+' })
   5
   6identifiers.forEach(function (id) {
   7  assert.deepEqual(parse(id), {license: id})
   8})

   So is any license identifier WITH a standardized license exception:

   1identifiers.forEach(function (id) {
   2  require('spdx-exceptions').forEach(function (e) {
   3    assert.deepEqual(
   4      parse(id + ' WITH ' + e),
   5      {license: id, exception: e}
   6    )
   7  })
   8})

2. The license expression language, for describing simple and complex license terms, like MIT for MIT-licensed and (GPL-2.0 OR Apache-2.0) for dual-licensing under GPL 2.0 and Apache 2.0. spdx-expression-parse itself implements license expression language, exporting a parser.

   1assert.deepEqual(
   2  // Licensed under a combination of:
   3  // - the MIT License AND
   4  // - a combination of:
   5  //   - LGPL 2.1 (or a later version) AND
   6  //   - Three-Clause BSD
   7  parse('(MIT AND (LGPL-2.1+ AND BSD-3-Clause))'),
   8  {
   9    left: {license: 'MIT'},
   10    conjunction: 'and',
   11    right: {
   12      left: {license: 'LGPL-2.1', plus: true},
   13      conjunction: 'and',
   14      right: {license: 'BSD-3-Clause'}
   15    }
   16  }
   17)

This package differs slightly from the SPDX standard in allowing lower- and mixed-case AND, OR, and WITH operators:

1assert.deepEqual(
2  parse('MIT or BSD-2-Clause'),
3  { left: { license: 'MIT' }, conjunction: 'or', right: { license: 'BSD-2-Clause' } }
4)
5assert.deepEqual(
6  parse('GPL-2.0 with GCC-exception-2.0'),
7  { license: 'GPL-2.0', exception: 'GCC-exception-2.0' }
8)

The Linux Foundation and its contributors license the SPDX standard under the terms of the Creative Commons Attribution License 3.0 Unported (SPDX: "CC-BY-3.0"). "SPDX" is a United States federally registered trademark of the Linux Foundation. The authors of this package license their work under the terms of the MIT License.