license-checker-ci

Check node packages against a licence whitelist in CI

Downloads in past

Stats

StarsIssuesVersionUpdatedCreatedSize
license-checker-ci
1.3.04 years ago5 years agoMinified + gzip package size for license-checker-ci in KB

Readme

License Checker CI
Wrapper for license-checker, to use it in CI with a whitelist.

Usage

Call from CLI as follows:
$ license-checker-ci [--whitelists relative-path-to-whitelists] [folder1] [folder2] [...]

where by default, relative-path-to-whitelist is ./.license-checker-ci/whitelists.json and only the current working directory is checked.
The call will fail (exit with code 1) if any non-whitelisted packages with a non-whitelisted license are found.
Example:
$ license-checker-ci
[/home/philipp/code/license-checker-ci] amdefine@1.0.1 with license(s) BSD-3-Clause OR MIT not whitelisted.
[/home/philipp/code/license-checker-ci] json-schema@0.2.3 with license(s) AFLv2.1,BSD not whitelisted.
[/home/philipp/code/license-checker-ci] optimist@0.6.1 with license(s) MIT* not whitelisted.
[/home/philipp/code/license-checker-ci] wordwrap@0.0.2 with license(s) MIT* not whitelisted.
License check failed: 5 problems detected.
$ echo $?
1

Note that the working directory must contain a valid package.json and subfolder node_modules.

Whitelists specification

The whitelists file must be a valid json specifying an object with properties packages and licenses. licenses must contain an array of the licenses you want to whitelist, packages must containt an array of the packages including a semver version range that you want to whitelist.
Example:
{
  "packages": [
    "amdefine@^1.0",
    "esutils@*",
    "json-schema@^0.2",
    "optimist@^0.6",
    "spdx-expression-parse@^1.0",
    "spdx-license-ids@^1.2",
    "tweetnacl@^0.14",
    "wordwrap@^0.0" 
  ],
  "licenses": [
    "Apache-2.0",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "CC0-1.0",
    "CC-BY-3.0",
    "ISC",
    "MIT",
    "Public Domain",
    "Unlicense",
    "WTFPL"
  ]
}

Multiple licenses

Some packages allow redistribution under combinations of licenses, e.g. (License-1 OR License-2 OR License-3) or (License-1 AND License-2).
You only need to whitelist one of those licenses for OR-combinations and all licenses for AND-combinations. See https://www.npmjs.com/package/spdx-expression-parse for details.

LICENSE

MIT