Gathering detailed insights and metrics for spdx-license-list
Gathering detailed insights and metrics for spdx-license-list
Installations
npm install spdx-license-listDeveloper Guide
BETA
Typescript
Yes
Module System
N/A
Min. Node Version
>=8
Node Version
23.6.1
NPM Version
10.9.2
Score
99.8
Supply Chain
92.9
Quality
76.8
Maintenance
100
Vulnerability
74.9
License
Releases
13
Languages
2
JavaScript
TypeScript
JavaScript (82.73%)
TypeScript (17.27%)
Developer
sindresorhus
Download Statistics
Total Downloads
41,831,498
Last Day
18,380
Last Week
348,190
Last Month
1,594,541
Last Year
14,772,889
GitHub Statistics
CC0-1.0 License
91 Stars
66 Commits
16 Forks
8 Watchers
1 Branches
10 Contributors
Updated on Jun 24, 2025
Bundle Size
98.27 kB
Minified
22.53 kB
Minified + Gzipped
Sponsor this package
Maintainers
1
Package Meta Information
Latest Version
6.10.0
Package Id
spdx-license-list@6.10.0
Unpacked Size
9.73 MB
Size
2.36 MB
File Count
693
NPM Version
10.9.2
Node Version
23.6.1
Published on
Apr 04, 2025
Total Downloads
Cumulative downloads
Total Downloads
41,831,498
spdx-license-list
List of SPDX licenses
The lists of licenses are just JSON files and can be used anywhere.
- spdx.json contains just license metadata
- spdx-full.json includes the license text too
- spdx-simple.json only contains the license IDs
Using SPDX License List version 3.26.0 (2024-12-30)
Install
1npm install spdx-license-list
Usage
1const spdxLicenseList = require('spdx-license-list'); 2 3console.log(spdxLicenseList.MIT); 4/* 5{ 6 name: 'MIT License', 7 url: 'http://www.opensource.org/licenses/MIT', 8 osiApproved: true 9} 10*/
1const mitLicense = require('spdx-license-list/licenses/MIT'); 2 3console.log(mitLicense.licenseText); 4//=> 'MIT License\r\n\r\nCopyright (c) <year> <copyright holders> …'
You can also get a version with the licence text included:
1const spdxLicenseList = require('spdx-license-list/full'); 2 3console.log(spdxLicenseList.MIT); 4/* 5{ 6 name: 'MIT License', 7 url: 'http://www.opensource.org/licenses/MIT', 8 osiApproved: true, 9 licenseText: '…' 10} 11*/
Or just the license IDs as a Set:
1const spdxLicenseList = require('spdx-license-list/simple'); 2 3console.log(spdxLicenseList); 4//=> Set {'Glide', 'Abstyles', …}
API
spdxLicenseList
Type: object
The licenses are indexed by their identifier and contains a name property with the full name of the license, url with the URL to the license, and osiApproved boolean for whether the license is OSI Approved.
No vulnerabilities found.
Reason
security policy file detected
Details
- Info: security policy file detected: .github/security.md:1
- Info: Found linked content: .github/security.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: .github/security.md:1
- Info: Found text in security policy: .github/security.md:1
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: license:0
- Info: FSF or OSI recognized license: Creative Commons Zero v1.0 Universal: license:0
Reason
0 existing vulnerabilities detected
Reason
Found 4/30 approved changesets -- score normalized to 1
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/main.yml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/sindresorhus/spdx-license-list/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/sindresorhus/spdx-license-list/main.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/main.yml:22
- Info: 0 out of 2 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 1 npmCommand dependencies pinned
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'main'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 4 are checked with a SAST tool
Score
4.2
/10
Last Scanned on 2025-06-30
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More