Are you using npmjs.org for all your JavaScript packages? Chances are you are, right? It’s pretty common to include them in your dev projects. But when it comes to package licenses, how closely are you really keeping an eye on them? With over 100 packages in any given project, each with its own license, it’s totally understandable if you’re not keeping tabs on them all.

But here’s the thing – this approach has its legal risks. Knowing the licenses attached to your packages is super important. We’ve seen cases like Artifex v. Hancom in the past, where Hancom got into hot water for supposedly violating the open-source GPL-3.0 License agreement.

In this article, we’ll chat about package licenses. It’s not just about dodging legal headaches but also making your development process way smoother. We’ll set up guidelines for npm package use in your projects, and walk you through the steps to get it sorted.

Understanding the Issues of npm Package Licensing 

It goes without saying that most people these days are aware that downloading software without proper authorization is a big no-no. Reason being is the scrutiny needed over license terms of software they intend to use. This is done to align with company policy and mitigate potential legal hot water stemming from unauthorized software usage. 

npm packages are no different. People often overlook this though as npm packages are sourced from the npm registry. People don’t really see it the same way as like, downloading off the internet.

Just like software, npm packages contain copyrighted material. The author of the package usually has the final say in how their software can be used. One good example of this is The GPL 3.0 license. Organizations often keep this at arm’s length because it places strict restrictions on the use of software, requiring derivative works to be licensed under the same terms.  

Here’s an example of a “GPL3.0” licensed package from npmjs.org, ccNetViz:

It’s a relatively friendly-looking graph theory library. We see it’s license is casually mentioned along with the version, total files etc. They all seem fairly innocuous, — but one of these is not like the others.

The crux of the matter is license agreements are legally binding contracts. If you were to use “ccNetviz” in production, you essentially enter into a contract with the package’s author. Simply downloading the “ccNetviz” implies your agreement to abide by its terms. These agreements are no mere formality; they represent real-life commitments with real-life consequences. Just ask Hancom.

So, How Do I Find an npm Package License? 

Besides searching npmjs.org, you can find an npm package’s license in the manifest file (package.json) within the package’s .tar.gz file.  npm packages typically express their licenses in one of two ways: 

The Software Package Data Exchange (SPDX) identifier code is a representation of a pre-existing open-source or free software license. Some are straightforward, such as “MIT”. While others can be more complex, like “CC BY-NC-SA.”. Let’s open up the “ccNetViz” package.json and take a look:

}
"license": "GPL-3.0"
...
}

An Embedded License File is a file that can be opened and read. They can usually be found as .txt or .md (Markdown) format. This is typically the case when the license associated with the package is non-standard or proprietary.  In this case, you’ll find something like this:

}
"license": "SEE LICENSE IN <filename>"
}

More often than not, packages published on npmjs.org adhere to the SPDX License List, curated by the Linux Foundation. This list is mainly to identify open-source software licenses and includes a comprehensive collection of over 100 licenses, each associated with a unique SPDX code. 

Let’s take a look at some other licenses you’re likely to find: 

How SPDX Codes Make Life Easier

A good point of the SPDX Code is that it’s consistent. This means that the license it represents does not change. Any modifications or alterations to the license would require the creation of a new “version” of the license (e.g MPL-1.1 to MPL-2.0). So let’s say a package is originally licensed under MPL-1.1, and your organization determines that it’s acceptable, you can trust that the license’s terms will remain unchanged over time. 

SPDX codes serve as a convenient and reliable way to identify licenses within npm packages. This consistency in how licenses are represented by SPDX codes simplifies the process of understanding and managing licenses associated with software packages. 

What You Can Do to Manage Compliance in Production 

We now know the risks packages like “ccNetViz” present, but what can we do about it? Manually reviewing and vetting licenses for npm packages can be a proper time sink. Automating this process makes things way easier, scanning npm packages to identify licenses and then approving or disapproving their usage. 

One option to automate license approval is by using a private package repository. We’ll use ProGet as an example, taking a quick look into how you can easily set up automated license approval. 

If you go into any package in a feed, right off the bat you’ll see the package’s license. 

Remember how the “GPL-3.0” license could spell trouble? A user can configure the feed to block attempted downloads of any package with a GPL-3.0 license. 

Not only does this save time compared to going into each package one by one and deciding if they can be used based on the license, but it also means nothing slips through the cracks. 

ProGet can also be configured to filter licenses at the feed level, which you may need to do if license restrictions vary from project to project. 

Know Your Licenses

npm licenses are crucial for package usage. Downloading npm packages implies consent to associated license terms.

💡 Automate license reviews with tools like ProGet to ensure compliance and save time. This maintains consistent adherence to your organization’s license policies.

💡 Understanding npm licenses, automating compliance, and setting clear policies are vital for avoiding legal issues and maximizing package management efficiency.

To learn more about npm, npm packages and how you can streamline and optimize your development, sign up for our npm in the Enterprise eBook; coming soon! Reserve your free copy today!