Gathering detailed insights and metrics for validate-npm-package-license
Gathering detailed insights and metrics for validate-npm-package-license
Give me a string and I'll tell you if it's a valid npm package license string
Installations
npm install validate-npm-package-licenseDeveloper Guide
BETA
Typescript
No
Module System
N/A
Node Version
8.11.3
NPM Version
5.6.0
Score
99.5
Supply Chain
99.4
Quality
75.5
Maintenance
100
Vulnerability
100
License
Languages
1
JavaScript
JavaScript (100%)
Developer
Download Statistics
Total Downloads
6,323,904,957
Last Day
1,700,745
Last Week
27,581,449
Last Month
119,681,183
Last Year
1,277,987,269
GitHub Statistics
Apache-2.0 License
27 Stars
56 Commits
11 Forks
5 Watchers
5 Branches
2 Contributors
Updated on Apr 14, 2025
Bundle Size
18.94 kB
Minified
6.67 kB
Minified + Gzipped
Maintainers
1
Package Meta Information
Latest Version
3.0.4
Package Id
validate-npm-package-license@3.0.4
Size
5.54 kB
NPM Version
5.6.0
Node Version
8.11.3
Published on
Aug 05, 2018
Total Downloads
Cumulative downloads
Total Downloads
6,323,904,957
Last Day
-8.1%
1,700,745
Compared to previous day
Last Week
-8.3%
27,581,449
Compared to previous week
Last Month
7.4%
119,681,183
Compared to previous month
Last Year
11%
1,277,987,269
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
2
Dev Dependencies
2
validate-npm-package-license
Give me a string and I'll tell you if it's a valid npm package license string.
1var valid = require('validate-npm-package-license');
SPDX license identifiers are valid license strings:
1 2var assert = require('assert'); 3var validSPDXExpression = { 4 validForNewPackages: true, 5 validForOldPackages: true, 6 spdx: true 7}; 8 9assert.deepEqual(valid('MIT'), validSPDXExpression); 10assert.deepEqual(valid('BSD-2-Clause'), validSPDXExpression); 11assert.deepEqual(valid('Apache-2.0'), validSPDXExpression); 12assert.deepEqual(valid('ISC'), validSPDXExpression);
The function will return a warning and suggestion for nearly-correct license identifiers:
1assert.deepEqual( 2 valid('Apache 2.0'), 3 { 4 validForOldPackages: false, 5 validForNewPackages: false, 6 warnings: [ 7 'license should be ' + 8 'a valid SPDX license expression (without "LicenseRef"), ' + 9 '"UNLICENSED", or ' + 10 '"SEE LICENSE IN <filename>"', 11 'license is similar to the valid expression "Apache-2.0"' 12 ] 13 } 14);
SPDX expressions are valid, too ...
1// Simple SPDX license expression for dual licensing 2assert.deepEqual( 3 valid('(GPL-3.0-only OR BSD-2-Clause)'), 4 validSPDXExpression 5);
... except if they contain LicenseRef:
1var warningAboutLicenseRef = { 2 validForOldPackages: false, 3 validForNewPackages: false, 4 spdx: true, 5 warnings: [ 6 'license should be ' + 7 'a valid SPDX license expression (without "LicenseRef"), ' + 8 '"UNLICENSED", or ' + 9 '"SEE LICENSE IN <filename>"', 10 ] 11}; 12 13assert.deepEqual( 14 valid('LicenseRef-Made-Up'), 15 warningAboutLicenseRef 16); 17 18assert.deepEqual( 19 valid('(MIT OR LicenseRef-Made-Up)'), 20 warningAboutLicenseRef 21);
If you can't describe your licensing terms with standardized SPDX identifiers, put the terms in a file in the package and point users there:
1assert.deepEqual( 2 valid('SEE LICENSE IN LICENSE.txt'), 3 { 4 validForNewPackages: true, 5 validForOldPackages: true, 6 inFile: 'LICENSE.txt' 7 } 8); 9 10assert.deepEqual( 11 valid('SEE LICENSE IN license.md'), 12 { 13 validForNewPackages: true, 14 validForOldPackages: true, 15 inFile: 'license.md' 16 } 17);
If there aren't any licensing terms, use UNLICENSED:
1var unlicensed = { 2 validForNewPackages: true, 3 validForOldPackages: true, 4 unlicensed: true 5}; 6assert.deepEqual(valid('UNLICENSED'), unlicensed); 7assert.deepEqual(valid('UNLICENCED'), unlicensed);
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
no dangerous workflow patterns detected
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0
Reason
Found 1/27 approved changesets -- score normalized to 0
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1
- Info: no jobLevel write permissions found
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:7: update your workflow using https://app.stepsecurity.io/secureworkflow/kemitchell/validate-npm-package-license.js/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:8: update your workflow using https://app.stepsecurity.io/secureworkflow/kemitchell/validate-npm-package-license.js/ci.yml/master?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:10
- Info: 0 out of 2 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 1 npmCommand dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 5 are checked with a SAST tool
Score
3.4
/10
Last Scanned on 2025-06-02
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More