Yet another license checker tool for your dependencies; focused on simplicity.
Install license-cop
npm install license-cop --save-devMake a config file
npx license-cop initRun license-cop
npx license-copThe license-cop command will use an exit code of 0 if all your dependencies conform to the settings in your config file.
By default the --init flag will make a .licenses.json file, however you can use many different variations of file name and file type including:
- Spelling
licensesaslicences - Ending
licenseswithrc - Having the file be in a
.config/directory - Using:
.json,.jsonc,.json5,.yaml,.yml,.js, or.cjs - Using a
licensecopkey in apackage.jsonfile
Specify all of the SPDX license codes that you're allowing in your dependency tree. E.g.
{
"licenses": ["MIT", "ISC", "Apache-2.0"]
}Specify all of the packages you're allowing, no matter what the license is. You can optionally lock packages by npm version ranges. E.g.
{
"packages": ["lodash", "axios@^2.0.0", "react@<16"]
}Specify another license-cop config file that this file should extend.
{
"extends": "@license-cop/permissive"
}Values can be:
- The name of an installed npm package (optionally prefixed with
npm:) that contains a license-cop config file.
@license-cop/permissive
npm:@license-cop/permissive
@license-cop/permissive is a base config provided by us containing a curated list of permissive licenses. We think it's a good starting point for all configs!
-
The name of a public github repository (prefixed with
github:) that contains a license-cop config file. This currently only supports config files called exactly.licenses.json.
github:tobysmith568/license-cop-config -
A URL to a license-cop config file. Currently this only supports json config files.
https://raw.githubusercontent.com/tobysmith568/license-cop-config/main/license-cop.json
Caveats
If you extend a remote file, and that in-turn extends an npm package, then you're going to need to have that npm package installed locally. They're not resolved dynamically from npmjs.com.
false by default.
Set to true to make license-cop also check your dev-dependencies.
false by default.
Set to true to make license-cop only check your dev-dependencies.
Running license-cop as a part of your CI process is a great way to catch issues before they land in your main branch.
Below is an example of how you can run license-cop in its own GitHub Action job for all PRs targetting main:
name: Check Licenses
on:
pull_request:
branches:
- main
jobs:
licenses:
name: Check Licenses
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
cache: npm
- name: Install dependencies
run: npm ci
- name: Run License-Cop
run: npx license-copThe Action above will fail if any of your node_modules have a license that isn't listed in your license-cop config file.
License-cop itself is licensed under the ISC license.