Output all licenses of installed node.js libraries
Is there an option in npm (or other tool) to print all used licenses? I have a project and I want to make sure I don't use a library which is under a license I can't use.
EDIT: Found out that many developers don't include the license in the package.json, so I had to find out manually using "npm docs package-name"
I had exactly the same requirement, and wrote a node module to do this. Shameless self promotion I know, but it is open source and hope it can help resolve your issue. Let me know if you have any issues or suggestions.
The difference over the other answers is that it does not just use the package.json license declaration, but looks for potential license information in license and readme files in the project.
https://npmjs.org/package/nlf
You can install using npm install -g nlf
cd {project}/node_modules
ls | sed 's/$/\/package.json/' | xargs grep '"license[s]*"' -A 3
Could use some improvement, but it works (at least on osx, should work on linux, no idea about windows). You should see something like:
grunt/package.json: "licenses": [
grunt/package.json- {
grunt/package.json- "type": "MIT",
grunt/package.json- "url": "http://github.com/gruntjs/grunt/blob/master/LICENSE-MIT"
--
grunt-contrib-concat/package.json: "licenses": [
grunt-contrib-concat/package.json- {
grunt-contrib-concat/package.json- "type": "MIT",
grunt-contrib-concat/package.json- "url": "https://github.com/gruntjs/grunt-contrib-concat/blob/master/LICENSE-MIT"
--
Update:
If you wish to see the name of all modules, even those nested inside other modules, the following works (cred to @robertklep, slightly modified to still work when inside the node_modules directory):
find * -name package.json | xargs grep '"license[s]*"' -A 3
Yarn has a command for this as well. yarn licenses list
renders short output, yarn licenses generate-disclaimer
renders all the actual license text to stdout (suitable for disclaimers, as the option would imply).
-
If you want to omit
devDependencies
:NODE_ENV=production yarn licenses list
-
For my purposes, the following command got me close enough:
yarn licenses list | grep License | \ grep -vE 'MIT|ISC|WTFPL|BSD|Apache|Unlicense|CC-BY|Public Domain'`
Take a look at license-report or license-checker
Having just done this for a large project, I can say it turns out this process is more of a headache to automate fully than you might think. It's easy to get many of them with some of the tricks listed here, but NPM package licenses are not published consistently, and can appear
- In the NPM package.json file, or
- In the README file (sometimes just the name, like "MIT license", and sometimes full license text in a section), or
- In a separate LICENSE or COPYING file.
In addition, you sometimes have to read a licenses to tell which well-known open source license it corresponds to.
The best tool I know to do this, that (unlike some of the other answers here) covers all these cases is the licensecheck package: https://github.com/marcello3d/node-licensecheck
It looks at package.json as well as common license files, and does a signature match against known licenses, so it accurately recognizes more licenses automatically. It also "normalizes" licenses against the standard SPDX list of licenses (https://spdx.org/licenses/).
Finally, Licensecheck also lets you save any remaining packages you needed to manually verify in your own license.json file (since you can't count on an external maintainer to change their package).
Taken together, this is a pretty robust solution.