Currently, the following .licensee.json file is treated as an invalid configuration.

{
  "license": "(MIT OR BSD-2-Clause OR BSD-3-Clause OR Apache-2.0)"
}

I think it would be fine to allow a missing whitelist property.

From the README and looking at https://npmjs.com/packages/spdx-expression-parse it's not clear whether we can have a license blacklist, e.g. NOT GPL.

This could be useful, especially for existing projects where creating and conforming to a whitelist could take some time. It could be simpler to start with "no GPL" (for example) and go from there.

Relates to #55

Suggestion to add the "engines" field to the project's package.json to make the supported Node.js versions explicit. This would allow users of licensee to be informed about (potential) incompatibility with their current Node.js version if they use the engine-strict option.

Not sure what the preferred approach would be, but based on the list of Node.js version tests some options include:

• Minimum only:
  • "node": ">=12"
  • "node": "^12 | ^13 | ^14 | ^15 | ^16 | ^17 | >=18"
• Minimum and maximum (would require a patch update to add support for a new Node.js version):
  • "node": ">=12 <19"
  • "node": "^12 | ^13 | ^14 | ^15 | ^16 | ^17 | ^18"

Hello and thank you for this neat module.
I'm not sure this is a good idea but consider being more flexible with the SPDX License Identifiers "parsing".
For instance, some modules have their license set as MIT/X11, meaning to allow for a dual license. In such case licensee could allow the module if the configuration specifies either MIT or X11.
As I said above, not sure this is a good idea as it doesn't follow the "general practices" but it could be made as an option in the licensee.json configuration file.
One more question, Does licensee only scan modules defined under "dependencies" in package.json or does it also scan modules defined under devDependencies ?
Maybe the configuration should allow for specifying which alternative to go with.

I see parsed SPDX expressions with conjunction are excluded. I'd like to request support for expressions exclusively limited to or conjunctions. It would be nice to optionally support AND conjunctions as well if all of the AND items are present.

Related to #2 are there any plans to include an extends type property to support shareable configs?

https://opensource.org/licenses/alphabetical, will be great allow to setup this as in config as in cli, thanks for good project.

I can send a PR

It'd be awesome if the report indicated whether a dep was top-level, or if not, which packages caused it to be included.

Hey :)

Would you be open to the idea of parsing the .licensee.json file using something like json5 so that the file can contain comments?

After having a brief look over the repository, it seems that it could perhaps be a drop-in replacement on line 105 of /licensee with the only changes being:

• Adding an require statement const JSON5 = require('json5');
• Changing JSON.parse(data) to JSON5.parse(data).

Thanks for your consideration

I know not a real issue but something I thought it was worth mentioning
Should be: https://www.npmjs.com/package/licensee

Thanks for the amazing new module. Immentiately added it to one of our boilerplates. It would be nice though to have a new mode where we can just output the problematic packages in a compact format (no contributors, etc.).

Do you have something like this in mind, too?

Isaac was kind enough to confirm that read-package-tree will probably be deprecated in favor of Arborist. Arborist will expose a promise API.

I have watched release on the Arborist repo. When the time comes, licensee will want to switch. But I'd strongly recommend that we hold off doing any substantial development until that decision is taken.

For sharing configuration files between projects as NPM modules it is useful to use dynamic JavaScript files as configuration, in addition to JSON files.

ESLint Config Docs or Commitlint Config Docs can be used as reference.

The .licensee.js configuration file could look like this:

module.exports = {
  licenses: {
    spdx: ['CC-BY-3.0'],
    blueOak: 'bronze',
  },
  packages: {
    'deep-is': '0.1.3',
    diff: '1.4.0',
    doctrine: '1.5.0',
    esutils: '2.0.2',
    'json-schema': '0.2.3',
    wordwrap: '0.0.2',
    longest: '1.0.1',
    'repeat-element': '1.1.2',
  },
  corrections: true,
};

Running on Windows fails when using the --production flag because spawning an npm process fails.

This is because spawn does not use the PATHEXT env var on Windows and does not find the npm command that is actually called npm.cmd. See: nodejs/node-v0.x-archive#2318

Not sure what is the best way to deal with this issue. There is a cross-spawn package. Using shell option for spawn seems to be an option etc.

We have lots of internal packages under either a scope, or a common name prefix. It would be great to be able to whitelist "airbnb-*", for example, without having to manually add each new one to the list.

Hello!

We've recently updated to Angular 8 and we've come across a scenario where a dependency has not updated its dependency list to support the new version and is thus raising an expected peer dependency error. This causes a problem with licensee when npm ls is used to retrieve the production dependency list. As a result, our license check is failing in our build pipeline. We've disabled the license check as a temporary workaround.

This is the underlying error being raised by npm ls --production:

peer dep missing: @angular/core@>=6.0.0 <8.0.0, required by [email protected]

We have confirmed that, for our purposes, this is a safe upgrade as we await the PR but were wondering if it would be possible to add a flag to ignore peer dependency errors. Right now, we are unable to get a list of actual license errors --errors-only --production since the task fails on the peer dependency errors and exits before parsing the json.

Something like:

licensee --production --errors-only --ignorePeerDepsErrors

There doesn't appear to be a flag on npm ls to ignore those errors, unfortunately. That would have been an easier fix.

I'm willing to attempt a PR if this sounds ok. Thoughts?

Thank you!

It would be awesome if the license was found not just in package.json, but also in other files like LICENSE and the readme.

This package does exactly that: https://www.npmjs.com/package/license-checker#how-licenses-are-found
This is their implementation on the strings in those files: https://github.com/davglass/license-checker/blob/master/lib/license.js

Thoughts?

• differentiate uses
• load .licenserc by default

I've got an error "UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'toLowerCase' of undefined" trying to use "ignore" filter. (licensee\index.js:327:17)

It caused by package node_modules\\@svgr\\webpack\\node_modules\\@babel\\plugin-proposal-private-methods. This package results in empty object inside tree.package in resultForPackage func.

I'm primarily concerned with the licenses I distribute, not the licenses of the dev tools I use.

Could there be an option like --production that skipped devDeps (but checked deps, peerDeps, bundledDeps, etc)?

Are there any plans to introduce a blacklist option, for both licenses and packages?

Help users understand what's changing.

I assume everybody is getting the same warning as I am:

npm WARN deprecated [email protected]: This package is no longer relevant as Node.js 0.12 is unmaintained.

Node.js 0.12 is ancient, so maybe it's time to drop this dependency?

1. When reading a dep, check if it's been corrected, and substitute the corrected license value.
2. Apply the rule and whitelist as usual.

Ran into this on with corsify.

{"licenses": [
    {
      "type": "MIT",
      "url": "http://github.com/Raynos/corsify/raw/master/LICENSE"
    }
  ]
}

I didn't even know about this property and style of format but apparently it's in use :/

[email protected] (Invalid license metadata)

The terminology "whitelist" and "blacklist" are used in a way that mean "good, blessed, permitted, positive" and "bad, forsaken, forbidden, negative" respectively. These are problematic in our society for reasons that are relatively obvious.

Instead, it would be preferable to use "allowlist" and "blocklist" or "allowlist" and "denylist" where the terminology is present.

I'm happy to submit a PR to make changes where relevant. I wanted to get a +1 from the maintainers via an Issue first, however, so as not to be particularly intrusive with a PR that is focusing on a negative.

If the use of spdx-whitelist is a blocker, I'm also happy to help do work there and in its upstream dependencies to update its terminology or help rename and republish it to spdx-allowlist or whatever other terminology that is preferred.

References on others doing this same thing/discussing the subject:

• https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6148600/
• https://www.zdnet.com/article/uk-ncsc-to-stop-using-whitelist-and-blacklist-due-to-racial-stereotyping/
• https://blog.talosintelligence.com/2020/06/talos-replacing-blacklist-blocklist-allowlist.html
• https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=49decddd39e5f6132ccd7d9fdc3d7c470b0061bb

I'm seeing multiple entries in the list - presumably when a dependency is duplicated in the graph.

It'd be ideal if when the package name and license data are the same, they could all be collapsed to a single entry (with a semver range covering the ones that are the same).

I think missconfiguration should be rather fatal, as it can be hard to validate (especially on small projects with few dependencies) that the test that is running is actually correct. It may give false positives. It would be nice if, when passing a blueOak value of foo, it would throw an error saying that is not an existing category.

[email protected]
  NOT APPROVED
  Terms: Invalid license metadata
  Repository: git://github.com/jashkenas/underscore.git
  Homepage: http://underscorejs.org
  Author: Jeremy Ashkenas <[email protected]>
  Contributors: None listed

It would be great to know where [email protected] is being called - it is not the most recent version, and I suspect that many packages use the old style for declaring licenses in package.jsons:

// Not valid metadata
{ "license" :
  { "type" : "ISC"
  , "url" : "https://opensource.org/licenses/ISC"
  }
}

While note SPDX approved, this shouldn't be flagging the same error as the others, because there is a license, at least. Alternatively to declaring where the dep is being called, this module could check for older license checks.

This may be out of scope for this module.

Would it be in scope for you to support giving a list of package names/ranges to include for checking (and not check anything else)?

In order to display content on the likes of raw.githack.com for browser scripts, I have a routine to copy dependencies out of node_modules and reference the copies instead and to only add them in devDependencies. However, I'm not interested in licenses for all of the other (many) devDependencies, so I'd like to whitelist my own list for checking rather than being forced to explicitly ignore the ones that are not of interest.

Related to #30, if I whitelist a package, i'd love a way to also auto-whitelist anything it's bringing in.

~/random-project $ licensee
Cannot read ~/random-project/.licensee.json

Would be ideal to automatically create this file with licensee --init, or to specify in usage that it must be manually created first.

Firstly thanks for the useful tool! One small piece of feedback - a colleague messages me last week with:

should i trust https://github.com/myco/myapp/blob/master/frontend/.licensee.json as the full list of packages/licenses?
i would have thought there should be a lot more

This is despite me mentioning previously that packages is a list of exceptions, rather than a list of all packages.

I suspect my colleague (and I, when I first started using licensee) are not the only one confused by the key name packages. Giving it a more descriptive name might help eliminate the confusion!

Some better names might be:

• ignorePackages
• ignore
• exceptions

etc. Anyway thanks for listening to the suggestion!

Hi
Licensee currently only checks the license key and ignores the old npm format licenses key - can you update licensee so that it at least makes any information under a licenses key available to anyone using licensee - you don't need to do anything with it but if its available it avoids me having to re-read package.json files to check if that key exists
many thanks

Why cannot use 'LicenseRef' license name when initializing the package.json with 'npm init' command?

If users wants to add the proprietary license name in package.json, they may also want to add the license name to match the spdx license expression. Because it is easier to manage the license name of their package than using 'SEE LICENSE IN '.

What about changing to accept 'LicenseRef-' spdx license expression?

Whether or not a package is using a valid identifier or not, I'd like to be able to whitelist it's license type. I have multiple packages with "MIT/X11", and since that's basically MIT, i'd like to allow those - but licensee errors out.

For starters: I will make a PR for this later.

This was briefly discussed in #42, but since #55 dropped support for unmaintained versions of Node, we can progress with this issue now too.

I realized that this is not just an issue of replacing fs-access with fs.access (the Node built-in not present in older versions of Node), but actually, the only place where it's used, fs.access is not actually needed. The more robust way to check for file non-existence is to check for error.code === 'ENOENT' when reading fails.

I get Terms: Invalid SPDX expression "W3C-20150513" with [email protected], but per
w3c/IntersectionObserver#348 (comment) it should be valid.

Currently I am working on a mono-repository using lerna and its feature of hoisting dependencies (quoting from https://github.com/lerna/lerna/blob/master/doc/hoist.md):

When an overall project is divided into more than one NPM package, this organizational improvement generally comes with a cost: the various packages often have many duplicate dependencies in their package.json files, and as a result hundreds or thousands of duplicated files in various node_modules directories. By making it easier to manage a project comprised of many NPM packages, Lerna can inadvertently exacerbate this problem.

Fortunately, Lerna also offers a feature to improve the situation - Lerna can reduce the time and space requirements for numerous copies of packages in development and build environments, by "hoisting" dependencies up to the topmost, Lerna-project-level node_modules directory instead.

As per my understanding, licensee.js is using the read-package-tree library (by which it will look at the node_modules folder structure only) from npm to understand which dependencies to check and basically - in combination with the previous described behaviour - in my case is checking also the licenses of transitive dependencies.

This in principles can be good but it should be configurable from my point of view with a flag/option (depth?) and the process should also relay not only on the node_modules structure but also - probably - on the lockfiles (both npm-shrinkwrap and package-lock) where the details about a dependency are more precise.

Am I wrong?

I've been thinking a bit about allowing licensee to use external "mappings" from package@version to SPDX ID, for those packages that have an SPDX-identified license, but haven't coded it correctly in package.json.

I find myself copying the same whitelist mappings from project to project. This could solve.

Hi @kemitchell can you update your dependencies - im currently getting

├─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected]
└─┬ [email protected]
└── [email protected]

licensee is using the old spdx-license-ids - a few of the module dependencies in the tree need updating to fix this - can you also bump the licensee version when you've updated this.

thanks

I figure the README should include documentation with at least one example of either the flag --production or API productionOnly. I can prepare a PR, but wanted to see if there were opinions on how.

As well as licenses, license has allowed an albeit now deprecated object per https://docs.npmjs.com/files/package.json#license

{ "license" :
  { "type" : "ISC"
  , "url" : "https://opensource.org/licenses/ISC"
  }
}

(While a comment states, "Not valid metadata", it goes on to say "Those styles are now deprecated", i.e., they are not entirely rejected yet.)

Some packages still use this format, so weren't being found for approval. I think this format, and the array format, should be supported.

Thanks!