I would like to suggest a new option to list licenses for dependencies, only. In other words, the license for the module defined by package.json itself shall be excluded. Assuming this can be controlled by a command line option "--dependencies" this can be achieved easily by the following patch.

mwittig@01cde66

Of course, some additional code will be required to set the command line option. I am happy to do that if the feature request finds your acceptance. Please also advise further about test requirements in case.

Sorry, I am not able to create a fork & pull request at the moment.

The Normalization of git URLs (moduleInfo.repository) in index.js, line 40 and following does not work as intended.

40: moduleInfo.repository = json.repository.url.replace('git://github.com', 'https://github.com').replace('.git', '');
41: moduleInfo.repository = json.repository.url.replace('[email protected]:', 'https://github.com/').replace('.git', '');

The assignment in line 40 has no effect as it is overwritten by the assignment in line 41. Suggested Fix:

Change line 41 as follows:
moduleInfo.repository = moduleInfo.repository.replace('[email protected]:', 'https://github.com/').replace('.git', '');

I am wondering what the semantics of the --unknown option is. Please clarify.

Take the detection of MIT licenses, for example, where

• MIT is output, if the MIT string was found as part of the license (or licenses) descriptor property, and
• MIT* is output if the aforementioned properties do not exist and some text pattern of the license clause is found in the ReadMe or License file of the module source.

Using option --unknown highlights the MIT markings as unknown licenses while it does not show the MIT* ones . Why do you consider, the text pattern matching as more accurate over content of the of the license or licenses descriptor properties? Shouldn't this be the other way round? I assume this is a bug.

If I am wrong and this is a feature you could perhaps combine the two methods of license checking for the case where the descriptor contains the license or licenses property.

The output now is flat. Would it be possible to mimic npm ls style, so that I can trace which dependency I have that results in a unwanted license?

Probably makes sense to ignore the license for private packages.
Could add just add "license": "private" and be done with it though.

ts-xlsx's license is GNU AFFERO GENERAL PUBLIC LICENSE: https://github.com/DxCx/ts-xlsx/blob/master/LICENSE

But license-checker reports MIT:

c:\Temp\foo>license-checker
├─ @types/[email protected]
│  ├─ licenses: MIT
│  ├─ repository: https://wwwhub.com/DefinitelyTyped/DefinitelyTyped
│  └─ licenseFile: c:\Temp\foo\node_modules\@types\xlsx\LICENSE
├─ [email protected]
│  └─ licenses: ISC
└─ [email protected]
   ├─ licenses: MIT
   ├─ repository: https://github.com/DxCx/ts-xlsx
   ├─ publisher: Hagai Cohen
   └─ licenseFile: c:\Temp\foo\node_modules\ts-xlsx\LICENSE

Hi,

I was wondering if there currently a way to extract the package author's information?

Steps to reproduce:

npm install uglify-js
license-checker

...
├─ [email protected]
│  ├─ licenses: MIT*
│  └─ repository: https://github.com/mishoo/UglifyJS2
...

It seems like the BSD license has the string "MIT" in it, as in "...INCLUDING, BUT NOT LIMITED TO...". The LICENCE checker should probably use a regex with some sort of whole-word restriction.

I would like an option to list licenses for "first" dependencies in the dependency tree. So in other words list dependencies only for the modules which are listed in package.json file's "dependencies".

I believe in that case, the parsing of the license data will break.

I have made the fix in my fork, but I've since made significant refactoring of the original code. I'll be happy to submit a PR if you'd like.

Some modules have a license in README, but not in package.json. An example: https://www.npmjs.com/package/matcha

Some packages have license types with commas in them. One I've encountered is rx-lite, which lists its license as "Apache License, Version 2.0". Is there a way to exclude these with the --exclude flag? I don't know a way that isn't interpreted as separate "Apache License" and "Version 2.0" licenses.

I would like to collect the full license texts of my dependencies. It almost works with the --customPath option and json output.

But the license text is stripped from quotes and line breaks. See lib/index.js:
moduleInfo.licenseText = content.replace(/"/g, '\'').replace(/\r?\n|\r/g, " ").trim();

Is there a reason for this? If yes, it might be an idea to add a moduleInfo.licenseTextOriginal or similar that contains the unmodified text.

problem statements

• exclude accepts only strings, vs arrays if using the library api (vs cli)
• exclude does not accept regexs

solution

• enable both

discussion

are you open to these ideas?

I ran into this issue after attempting to run license-checker on one of our repo's.

After adding some extra logging to license-checker, I identified the problem as being a circular dependency structure underneath the node-slack module we rely on.

Dependency structure:
node-slack -> deferred -> es5-ext -> es6-iterator -> es5-ext -> es6-iterator -> [repeats forever]

Specifically, it looks like es5-ext and es6-iterator modules both depend upon one another.

Note: It looks like there would still be an issue even if these two packages didn't directly depend on each other -- there would still be a circular dependency between non-parent-child packages:
node-slack -> deferred -> d -> es5-ext -> es6-iterator -> d -> es5-ext -> es6-iterator -> [repeats forever]

To reproduce:
So, if you npm install d, es5-ext, or es6-iterator in a new directory and then run license-checker in that directory. You will encounter the following error (due to license-checker's flatten function recursively calling itself until max call stack exceeded):

RangeError: Maximum call stack size exceeded

Workaround:
For now, I'm just going to remove the node-slack repo before I run license-checker.

Real Fix
As far as fixing the problem, I'm unsure of a quick fix. Ideally, npm modules wouldn't have circular dependencies, but npm seems to allow it and as I discovered, they do actually exist out there. I guess license-checker may need need to detect circular dependencies?

Tried using this, it exploded though. Node 0.12.2 npm 2.9.1.

TypeError: Cannot read property 'indexOf' of null
    at /Users/simen/.nvm/versions/node/v0.12.2/lib/node_modules/license-checker/lib/index.js:80:36
    at Array.forEach (native)
    at flatten (/Users/simen/.nvm/versions/node/v0.12.2/lib/node_modules/license-checker/lib/index.js:76:11)
    at /Users/simen/.nvm/versions/node/v0.12.2/lib/node_modules/license-checker/lib/index.js:104:20
    at Array.forEach (native)
    at flatten (/Users/simen/.nvm/versions/node/v0.12.2/lib/node_modules/license-checker/lib/index.js:95:40)
    at /Users/simen/.nvm/versions/node/v0.12.2/lib/node_modules/license-checker/lib/index.js:104:20
    at Array.forEach (native)
    at flatten (/Users/simen/.nvm/versions/node/v0.12.2/lib/node_modules/license-checker/lib/index.js:95:40)
    at /Users/simen/.nvm/versions/node/v0.12.2/lib/node_modules/license-checker/lib/index.js:118:20

Just clone my repo https://github.com/SimenB/webpack-fun to reproduce.

Edit. Version 2.0.2 works fine though

https://github.com/angular/angular.js

Even though it's "LICENSE" in the root

It would have been great to be able to add globally installed modules into the output together with the product's own dependencies.

license-checker is not picking up the license from this package:

https://github.com/faeldt/base64id/blob/master/package.json

{
    "name": "base64id"
  , "version": "0.1.0"
  , "licenses" : [
        {
            "type" : "MIT",
            "url" : "https://github.com/caolan/async/raw/master/LICENSE"
        }
    ]
  , "description": "Generates a base64 id"
  , "author": "Kristian Faeldt <[email protected]>"
  , "repository": {
        "type": "git"
      , "url": "https://github.com/faeldt/base64id.git"
   }
  , "main": "./lib/base64id.js"
  , "engines": { "node": ">= 0.4.0" }
}

maybe include whether it is a dev dependency or production in csv? (if it does already I missed it...)

Add the possiblity to define options in a config file (e.g. .license-checker).
It would ease defining license check rules for projects and integrate license checking into automated tests.

example config file:
{
"exclude" : ["MIT", "MIT/X11", "ISC", "Apache-2.0"]
}

Hej, thanks for this awesome module.

I wonder if you would accept a simple pull request for adding LGPL and GPL Licenses to lib/license.js since there is #50 in the making?

/opt/local/lib/node_modules/license-checker/lib/index.js:94
if (data[item].licenses.indexOf('*') === -1) {
^
TypeError: Cannot call method 'indexOf' of null

The error occurs if package.json does not contain the 'licenses' property. To make the code robust against this case I'd like to suggest the following fix:

Check data[item].licenses for null in line 94, i.e.:
if (data[item].licenses !== null && data[item].licenses !== UNKNOWN) {

I have created a pull request on the matter.

When using --out param I noticed there is no newline at the end of the file.
This looks ugly when viewing in the terminal using cat.

I think I can make a PR for it this weekend, if you like.

Here's an example of the Json output

  "\u001b[34mdate-now\u001b[39m\u001b[2m@\u001b[22m\u001b[32m0.1.4\u001b[39m": {
    "licenses": "MIT",
    "repository": "https://github.com/Colingo/date-now",
    "licenseFile": "/node_modules/date-now/LICENCE"
  },

The name has the color included as well. This should be removed.

We want to use this library for checking each of our dependencies and matching them with a whitelist.

If one of the dependencies has a non-whitelisted license, we want to fail a test and give useful information, which module failed and where the module comes from.

The first idea was to use the dependencyPath property. Since npm 3 though, this path does not necessarily fit the modules dependency. On file level, the dependency could be in the root node_modules folder but not being a direct dependency of the project.

Instead of using read-installed, traversing over the result and thus generating such results ourselves, we thought about creating a PR to let license-checker generate this information.

How likely is it you would merge such a PR?

It looks like a lot of UNKNOWNs have a MIT license in the readme.

At

json.readme seems to come from var read = require('read-installed'); which doesn't seem to be maintained/updated anymore (https://github.com/npm/read-package-tree is the new one).

I think there's a bug which results in ERROR: No README data found! for the readme.

after global install:

C:\Users\Gleb\AppData\Roaming\npm\node_modules\license-checker>npm test

[email protected] pretest C:\Users\Gleb\AppData\Roaming\npm\node_modules\license-checker
jshint --config ./node_modules/yui-lint/jshint.json ./lib/

lib\index.js: line 15, col 41, Missing semicolon.
lib\index.js: line 16, col 9, Too many var statements.
lib\index.js: line 17, col 1, Trailing whitespace.
lib\index.js: line 32, col 9, Too many var statements.
lib\index.js: line 37, col 40, Missing semicolon.
lib\index.js: line 49, col 6, Trailing whitespace.
lib\index.js: line 53, col 17, Too many var statements.
lib\index.js: line 16, col 17, 'moduleId' is defined but never used.

lib\license.js: line 12, col 2, Missing semicolon.

9 errors
npm ERR! Test failed. See above for more details.
npm ERR! not ok code 0

Failure in lib/index.js:70 if json.path is undefined:

    files = fs.readdirSync(json.path).filter(function(filename) {
        filename = filename.toUpperCase();
        return filename.indexOf('LICENSE') > -1 || filename.indexOf('LICENCE') > -1 ;
    });

You're also failing to check err when read calls back around line 115, but that's not the cause this time.

I am working on kemitchell/spdx.js#1, which will add support for validating SPDX license identifiers against SPDX license expressions. The idea is to programmatically determine that, say, MIT is valid against (MIT OR Apache-2.0 OR BSD-3-Clause) while GPL-3.0 is not, much like node-semver determines that 2.0.1 is valid against >= 2.0.0 while 1.9.9 is not.

Any interest in building that functionality into license-checker, so that a user can provide an SPDX expression as an argument (or a dotfile property) and identify packages with licenses that don't match?

I'm copying from nlf project:

Summary Mode

--summary option, which can be set to "off", "simple" or "detail". This option controls what will be printed in summary in standard format.

off turns off summary output
simple shows a list of licenses used in the project, the default behavior
detail shows all modules in current project and group by licenses. As example below:
LICENSES:
├─┬ BSD
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ └── [email protected]
├─┬ BSD-2-Clause
│ └── [email protected]
├─┬ Apache-2.0
│ ├── [email protected]
│ ├── [email protected]
│ └── [email protected]
├─┬ (MIT AND CC-BY-3.0)
│ └── [email protected]
└─┬ MPL
└── [email protected]

Would it be possible to also expose the path to the license file (where available) in the output?

In the case of Apache 2 you have to include the NOTICE file, not the LICENSE file. The LICENSE is only shipped for completion.

The unit tests fail because they expect a vows version of 0.8.0 but the current version is 0.8.1 and package.json dependency is for "*".

TravisCI Failure:

  ♢ license-checker

scanning /Users/yuri/dev/license-checker/
  loading
    ✓ should load init
    ✓ should load print
  should not error
    ✓ on undefined
  should parse local with unknown
    ✓ and give us results
    ✓ and convert to CSV
scanning /Users/yuri/dev/license-checker/
  should parse local with unknown should parse local without unknown
    ✗ and give us results
        » failed to lookup vows dep // /Users/yuri/dev/license-checker/tests/test.js:50

✗ Broken » 5 honored ∙ 1 broken (0.334s)

Package.json devDependencies:

  "devDependencies": {
    "yui-lint": "~0.1.1",
    "jshint": "~1.1.0",
    "vows": "*",
    "istanbul": "*",
    "request": "^2.34.0",
    "queue": "^1.0.0",
    "detectionizr": "*"
  },

Unit test expects:

            'and give us results': function (d) {
                assert.ok(d);
                assert.ok(d['[email protected]'], 'failed to lookup vows dep');
                assert.equal(d['[email protected]'].licenses, 'MIT');
                assert.isTrue(Object.keys(d).length > 20);
            }

So, easiest solution would be to change package.json to require 0.8.1 and update the unit tests to look for a vows version of 0.8.1, but that means vows won't get automatically updated in the future. I guess the ideal solution would be something that allows for the unit tests to dynamically know what the current version of vows is and use that, but I'm not sure off the top of my head how to do that.

I'm not sure what your preferred solution is, so I'll leave it up to you. :-)

it comes out as

[
"Glide",
"Abstyles",
"AFL-1.1",
"AFL-1.2",
"AFL-2.0",
"AFL-2.1",
"AFL-3.0",
"AMPAS",
"APL-1.0",
"Adobe-Glyph",
"APAFML",
"Adobe-2006",
"AGPL-1.0",
"Afmparse",
"Aladdin",
"ADSL",
"AMDPLPA",
"ANTLR-PD",
"Apache-1.0",
"Apache-1.1",
"Apache-2.0",
...

See https://procensus.com/acknowledgements.html#spdx-license-ids

I'm getting multiples of this error running the checker on a repo with a large number of deps:

glob error { [Error: EMFILE, readdir '/an/example/dir']
  errno: 20,
  code: 'EMFILE',
  path: '/an/example/dir' }

I have upped kern.maxfiles to 30480 (from 10240) and receiving the same error.

Please add a flag to output licenses for dependencies, devDependencies, or both.

Hi,

I think the project could benefit from a nice error reporting.
To keep compatibility to dependents, I can't think of a totally nice solution but I think I have something that will allow a dependent package to have easy error checking (not check for undefined@undefined).

In the init function, we could simply return an error whenever read fails.
The callback could just return the error like this:
callback(sorted, err)

Any thoughts on this?

This can cause flatten to go into an infinite loop.

I wonder how this could be combined with webpack (as a preloader?) to only really gather information about packages that are imported or required by the app.

scanning /home/testyo/repos/frontend-repo/code
/home/testyo/npm/lib/node_modules/license-checker/lib/index.js:180
                    if (data[item].licenses.indexOf('*') > -1 ||
                                           ^
TypeError: Cannot read property 'indexOf' of null
    at /home/testyo/npm/lib/node_modules/license-checker/lib/index.js:180:44
    at Array.forEach (native)
    at /home/testyo/npm/lib/node_modules/license-checker/lib/index.js:164:34
    at /home/testyo/npm/lib/node_modules/license-checker/node_modules/read-installed/read-installed.js:138:5
    at /home/testyo/npm/lib/node_modules/license-checker/node_modules/read-installed/read-installed.js:251:14
    at cb (/home/testyo/npm/lib/node_modules/license-checker/node_modules/read-installed/node_modules/slide/lib/async-map.js:47:24)
    at /home/testyo/npm/lib/node_modules/license-checker/node_modules/read-installed/read-installed.js:251:14
    at cb (/home/testyo/npm/lib/node_modules/license-checker/node_modules/read-installed/node_modules/slide/lib/async-map.js:47:24)
    at /home/testyo/npm/lib/node_modules/license-checker/node_modules/read-installed/read-installed.js:251:14
    at cb (/home/testyo/npm/lib/node_modules/license-checker/node_modules/read-installed/node_modules/slide/lib/async-map.js:47:24)

[email protected]

"devDependencies": {
  "archiver": "^0.14.4",
  "autoprefixer": "^6.0.3",
  "babel-core": "^5.8.20",
  "babel-eslint": "^4.1.2",
  "babel-loader": "^5.3.2",
  "babel-runtime": "^5.8.20",
  "browser-sync-webpack-plugin": "^1.0.0",
  "css-loader": "^0.19.0",
  "deepmerge": "^0.2.10",
  "del": "^2.0.2",
  "download": "^4.2.0",
  "eslint": "^1.6.0",
  "eslint-config-airbnb": "^0.1.0",
  "extract-text-webpack-plugin": "^0.8.2",
  "faux-jax": "^4.0.0",
  "file-loader": "^0.8.4",
  "gulp": "^3.9.0",
  "gulp-eslint": "^1.0.0",
  "gulp-jscs": "^3.0.1",
  "gulp-stylint": "^3.0.0",
  "gulp-task-listing": "^1.0.1",
  "gulp-util": "^3.0.6",
  "handlebars-loader": "^1.1.0",
  "html-webpack-plugin-extra-files": "^1.4.0",
  "iectrl": "^0.1.1",
  "imports-loader": "^0.6.4",
  "isparta": "^3.1.0",
  "isparta-loader": "^1.0.0",
  "jasmine-core": "^2.3.4",
  "jasmine-jquery": "^2.1.1",
  "jscs": "^2.2.1",
  "json-loader": "^0.5.2",
  "karma": "^0.13.6",
  "karma-chrome-launcher": "^0.2.0",
  "karma-coverage": "^0.5.0",
  "karma-jasmine": "^0.3.6",
  "karma-junit-reporter": "0.3.3",
  "karma-phantomjs-launcher": "^0.2.0",
  "karma-sourcemap-loader": "^0.3.5",
  "karma-webpack": "^1.7.0",
  "lodash.clonedeep": "^3.0.2",
  "lolex": "^1.2.2",
  "merge-stream": "^0.1.8",
  "node-libs-browser": "^0.5.2",
  "node-noop": "0.0.1",
  "phantomjs": "^1.9.17",
  "phantomjs-polyfill": "0.0.1",
  "postcss-loader": "^0.6.0",
  "require-dir": "^0.3.0",
  "rfile": "^1.0.0",
  "run-sequence": "^1.1.2",
  "style-loader": "^0.12.4",
  "stylint-stylish": "^1.1.2",
  "stylus-loader": "^1.3.0",
  "url-loader": "^0.5.6",
  "webpack": "^1.10.5",
  "webpack-config": "^0.8.0",
  "webpack-dev-server": "^1.11.0"
},
"dependencies": {
  "backbone": "1.1.2",
  "backbone-deep-model": "^0.10.4",
  "backbone-validation": "0.11.5",
  "backbone.layoutmanager": "0.9.6",
  "backbone.modelbinder": "1.1.0",
  "block-ui": "2.70.1",
  "bluebird": "^2.10.1",
  "body-parser": "^1.13.3",
  "bowser": "1.0.0",
  "client-sessions": "^0.7.0",
  "cookie-parser": "^1.3.5",
  "core-js": "^1.2.0",
  "crc": "^3.3.0",
  "datatables": "1.10.5",
  "deep-diff": "0.3.2",
  "express": "^4.13.3",
  "express-session": "^1.11.3",
  "handlebars": "1.3.0",
  "jq-pagination": "1.4.1",
  "jquery": "^1.11.3",
  "jquery.inputmask": "3.1.63",
  "moment": "2.9.0",
  "nanoscroller": "0.8.7",
  "node-uuid": "^1.4.3",
  "string.prototype.startswith": "^0.2.0",
  "underscore": "1.8.3",
  "winston": "^1.0.1"
}

It seems some licenses are not correctly detected according to spdx standards.
For example, uglify-js is marked as UNKNOWN, when they surely follow an standard. Their package.json is marked as BSD-2-Clause, which is a valid spdx spec.
Please use spdx to validate the licenses, as it is the standard used by npm.

Nice tool 👍 , thanks !

A few more steps needed to extract the copyright information and reformat the output to something like below for inclusion in the projects COPYRIGHT.md

Included Software and Libraries

This program includes works distributed under the terms of another license(s) and other copyright notice(s).

• jQuery 2.1.4
  
  http://jquery.com
  
  Copyright (c) 2005, 2014 jQuery Foundation, Inc. and other contributors
  
  jQuery is licensed under the MIT license.

https://github.com/davglass/license-checker/blob/master/lib/index.js#L45
Here, to avoid circular dependencies traversal we also avoid to scan same package version twice.

read-installed module returns package dependencies as they are resolved by Node module loading mechanism. This mechanism allows to have same package version to be loaded with different dependency tree. That means we should analyze same package version again, even if it already was processed.

Steps to reproduce

$ npm init -y
$ npm i -S [email protected] [email protected]
$ npm ls ansi-regex
├─┬ [email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └── [email protected] 
└─┬ [email protected]
  └─┬ [email protected]
    ├─┬ [email protected]
    │ └── [email protected] 
    └─┬ [email protected]
      └── [email protected]
$ license-checker | grep ansi-regex
├─ [email protected]
│  ├─ repository: https://github.com/chalk/ansi-regex
│  └─ licenseFile: /home/ruslan/Projects/verify/t1/node_modules/ansi-regex/licens

[email protected] is missed from license-checker, because [email protected] is not processed twice.

Immediately after git clone and npm install, npm test fails:

scanning /Users/brandon/code/davglass/license-checker/
  loading
    ✓ should load init
    ✓ should load print
  should not error
    ✓ on undefined
  should parse local with unknown
    ✓ and give us results
    ✓ and convert to CSV
scanning /Users/brandon/code/davglass/license-checker/
  should parse local with unknown should parse local without unknown
    ✗ and give us results
      TypeError: Cannot read property 'licenses' of undefined
      at Object.tests.should parse local with unknown.should parse local without unknown.and give us results (/Users/brandon/code/davglass/license-checker/tests/test.js:49:45)
      at runTest (/Users/brandon/code/davglass/license-checker/node_modules/vows/lib/vows.js:135:26)
      at EventEmitter.<anonymous> (/Users/brandon/code/davglass/license-checker/node_modules/vows/lib/vows.js:80:9)
      at EventEmitter.emit (events.js:117:20)
      at EventEmitter.options.Emitter.emit (/Users/brandon/code/davglass/license-checker/node_modules/vows/lib/vows.js:240:24)
      at that.emitter.ctx (/Users/brandon/code/davglass/license-checker/node_modules/vows/lib/vows/context.js:32:52)
      at Object.env.callback (/Users/brandon/code/davglass/license-checker/node_modules/vows/lib/vows/context.js:46:29)
      at /Users/brandon/code/davglass/license-checker/tests/test.js:45:26
      at /Users/brandon/code/davglass/license-checker/lib/index.js:9:7179
      at /Users/brandon/code/davglass/license-checker/node_modules/read-installed/read-installed.js:118:5

✗ Errored » 5 honored ∙ 1 errored (0.235s)

I'm looking into the reason, but I don't know that I'm sufficiently familiar with the code. I'll update here if I make any progress.

I am using the library and I am getting all desired information like name, license, version etc using the custom format property of options object. But now I want to extract the contact information of author of modules. is it possible? How is it possible using the custom format object?

Thanks
Amit

in the case where there is one license, the api returns:

licenses: 'SOMELICENSE'

in the case where there are many licenses, the api returns:

licenses: ['L1, 'L2']

it would be nice to unify the type output to always an array, or array|null

Hi,

It would be very useful if it supports HTML output format so we can simply include it in a product.

I think a verbose argument should be set to allow a user to simply see what's going on.
The 'scanning pathXY' is not used in external libraries and really looks odd in tests.

Verbosing should be either on or off.
Since chalk is already included, proper coloring is possible, too!

Any thoughts on this?

There is no change in the output from license-checker to license-checker --unknown