Hey everyone, just a quick tip on how you can audit your NPM dependencies to make sure you're not infringing copyright.
Open-source software is great, but it doesn't necessarily mean it's free to use. Software projects are released under difference licenses. Typically in a project repo, this will be in the
LICENSE file in the top level of the repo.
The way you license your software defines many things including:
- Whether you grant use of the software
- Whether you grant commercial use of the software
These two points are extremely important.
You might think the software you are using is free until you get slapped with an invoice or a lawsuit!
As an example that's not related to NPM but is related to software licensing, check out VirtualBox's licences. tldr; VirtualBox is licensed under GPL2, while VirtualBox Extensions are under a custom license which requires a fee for commercial use. Supplementary reading: Oracle demands $12,200 for use of VirtualBox Extension Pack.
This ends up being pretty easy due to
Here's the procedure:
npm install license-checker
This will give you a printout of all the licensing details of packages used in your project.
Other cool features of the project:
- Print a summary of licenses used by
npx license-checker --summary
- Include it in your CI/CD pipeline by providing it with a whitelist or a blacklist of licenses
Hope this helps you to audit the packages you're using!
I write about development stuff in all sorts of areas (Node, Python, Linux, Android, iOS, etc.). If you're interested, follow me here on dev.to or on Twitter @connorbode. I'll keep writing as I learn & discover.