Installations

npm install spdx-expression-parse

Developer Guide

BETA

Typescript

❌ No

Module System

N/A

Node Version

20.9.0

NPM Version

10.1.0 Score

99.2

Supply Chain

99.5

Quality

78

Maintenance

100

Vulnerability

100

License

Pull Requests

Open

4

Total

19

Closed

3

Merged

12

Issues

Open

4

Total

15

Closed

11

Releases

Unable to fetch releases

Developer

jslicense

Statistics

43 Stars

169 Commits

23 Forks

10 Watching

6 Branches

10 Contributors

Updated on 07 Sept 2024

Bundle Size

13.11 kB

Minified

4.94 kB

Minified + Gzipped

Bundlephobia

Languages

JavaScript (100%)

Total Downloads

Cumulative downloads

Total Downloads

5,929,919,780

Last day

-7.2%

5,910,650

Compared to previous day

Last week

-16.8%

29,490,990

Compared to previous week

Last month

26.7%

139,301,747

Compared to previous month

Last year

13.4%

1,309,173,407

Compared to previous year

Daily Downloads

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

2

spdx-exceptions spdx-license-ids

Dev Dependencies

3

defence-cli replace-require-self standard

Versions

This package parses SPDX license expression strings describing license terms, like package.json license strings, into consistently structured ECMAScript objects. The npm command-line interface depends on this package, as do many automatic license-audit tools.

In a nutshell:

1var parse = require('spdx-expression-parse')
2var assert = require('assert')
3
4assert.deepEqual(
5  // Licensed under the terms of the Two-Clause BSD License.
6  parse('BSD-2-Clause'),
7  {license: 'BSD-2-Clause'}
8)
9
10assert.throws(function () {
11  // An invalid SPDX license expression.
12  // Should be `Apache-2.0`.
13  parse('Apache 2')
14})
15
16assert.deepEqual(
17  // Dual licensed under either:
18  // - LGPL 2.1
19  // - a combination of Three-Clause BSD and MIT
20  parse('(LGPL-2.1 OR BSD-3-Clause AND MIT)'),
21  {
22    left: {license: 'LGPL-2.1'},
23    conjunction: 'or',
24    right: {
25      left: {license: 'BSD-3-Clause'},
26      conjunction: 'and',
27      right: {license: 'MIT'}
28    }
29  }
30)

The syntax comes from the Software Package Data eXchange (SPDX), a standard from the Linux Foundation for shareable data about software package license terms. SPDX aims to make sharing and auditing license data easy, especially for users of open-source software.

The bulk of the SPDX standard describes syntax and semantics of XML metadata files. This package implements two lightweight, plain-text components of that larger standard:

The license list, a mapping from specific string identifiers, like Apache-2.0, to standard form license texts and bolt-on license exceptions. The spdx-license-ids and spdx-exceptions packages implement the license list. spdx-expression-parse depends on and require()s them.

Any license identifier from the license list is a valid license expression:

1var identifiers = []
2  .concat(require('spdx-license-ids'))
3  .concat(require('spdx-license-ids/deprecated'))
4  .filter(function (id) { return id[id.length - 1] !== '+' })
5
6identifiers.forEach(function (id) {
7  assert.deepEqual(parse(id), {license: id})
8})

So is any license identifier WITH a standardized license exception:

1identifiers.forEach(function (id) {
2  require('spdx-exceptions').forEach(function (e) {
3    assert.deepEqual(
4      parse(id + ' WITH ' + e),
5      {license: id, exception: e}
6    )
7  })
8})

The license expression language, for describing simple and complex license terms, like MIT for MIT-licensed and (GPL-2.0 OR Apache-2.0) for dual-licensing under GPL 2.0 and Apache 2.0. spdx-expression-parse itself implements license expression language, exporting a parser.

1assert.deepEqual(
2  // Licensed under a combination of:
3  // - the MIT License AND
4  // - a combination of:
5  //   - LGPL 2.1 (or a later version) AND
6  //   - Three-Clause BSD
7  parse('(MIT AND (LGPL-2.1+ AND BSD-3-Clause))'),
8  {
9    left: {license: 'MIT'},
10    conjunction: 'and',
11    right: {
12      left: {license: 'LGPL-2.1', plus: true},
13      conjunction: 'and',
14      right: {license: 'BSD-3-Clause'}
15    }
16  }
17)

This package differs slightly from the SPDX standard in allowing lower- and mixed-case AND, OR, and WITH operators:

1assert.deepEqual(
2  parse('MIT or BSD-2-Clause'),
3  { left: { license: 'MIT' }, conjunction: 'or', right: { license: 'BSD-2-Clause' } }
4)
5assert.deepEqual(
6  parse('GPL-2.0 with GCC-exception-2.0'),
7  { license: 'GPL-2.0', exception: 'GCC-exception-2.0' }
8)

The Linux Foundation and its contributors license the SPDX standard under the terms of the Creative Commons Attribution License 3.0 Unported (SPDX: "CC-BY-3.0"). "SPDX" is a United States federally registered trademark of the Linux Foundation. The authors of this package license their work under the terms of the MIT License.

No vulnerabilities found.

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

10

License

Determines if the project has defined a license.

0

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

0

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

0

Maintained

Determines if the project is "actively maintained".

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Security-Policy

Determines if the project has published a security policy.

0

Fuzzing

Determines if the project uses fuzzing.

0

Branch-Protection

Determines if the default and release branches are protected with GitHub's branch protection settings.

0

SAST

Determines if the project uses static code analysis.

Score

3.4

/10

Last Scanned on 2024-11-25

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More

spdx-expression-parse

Installations

Developer Guide

❌ No

N/A

20.9.0

10.1.0

Score

Pull Requests

:host{display:inline-block;direction:ltr;white-space:nowrap;line-height:var(--number-flow-char-height, 1em) !important}span{display:inline-block}:host([data-will-change]) span{will-change:transform}.number,.digit{padding:calc(var(--number-flow-mask-height, 0.25em) / 2) 0}.symbol{white-space:pre}44

:host{display:inline-block;direction:ltr;white-space:nowrap;line-height:var(--number-flow-char-height, 1em) !important}span{display:inline-block}:host([data-will-change]) span{will-change:transform}.number,.digit{padding:calc(var(--number-flow-mask-height, 0.25em) / 2) 0}.symbol{white-space:pre}33

Issues

:host{display:inline-block;direction:ltr;white-space:nowrap;line-height:var(--number-flow-char-height, 1em) !important}span{display:inline-block}:host([data-will-change]) span{will-change:transform}.number,.digit{padding:calc(var(--number-flow-mask-height, 0.25em) / 2) 0}.symbol{white-space:pre}44

Releases

Unable to fetch releases

Developer

Statistics

Bundle Size

13.11 kB

4.94 kB

Languages

Total Downloads

Daily Downloads

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

Dev Dependencies

10

10

10

10

0

0

0

0

0

0

0

0

0

3.4

/10

4

3

4