The Entr’Ouvert v. Orange case is a clear warning: overlooking open-source license terms—like providing source code or license notices—can lead to lawsuits and reputational damage. Manually tracking every license, especially across NuGet packages, is tedious and risky. Without automation tools like ProGet to handle license blocking and vulnerability scanning, maintaining compliance becomes difficult, and opens the door to serious risks.

To reduce these risks, everyone from managers to CEOs should familiarize with common NuGet licenses like MIT, Apache, and GPL-3, and know how to identify and assess them to stay compliant before issues arise.

In this article, we’ll walk you through the three main types of open-source license expressions you’ll see in NuGet packages and show you how to spot them, so you can easily assess and keep your projects compliant.

Three Types of NuGet License Expressions

A license expression in NuGet packages is a standardized way to declare the licensing terms under which a package is distributed. It provides structured information that lets automated tools parse and validate licenses against organizational policies, reducing the risk of unknowingly violating licensing terms.

In a NuGet package’s metadata (known as the .nuspec XML manifest file), the <license> element specifies the licensing information. This can be expressed in one of three ways:

• Expression – A standard SPDX identifier like MIT or Apache-2.0
• File – A reference to a license file included with the package
• URL – A direct link to the license text

These formats help developers and organizations understand and verify legal obligations tied to using a particular NuGet package.

Expression

An expression-type license is typically a Software Package Data Exchange (SPDX) identifier code. This code represents a specific open-source or free software license. Since it’s just an identifier, you should investigate the license further—for example, by checking the SPDX License List and reviewing the full license text.

Some identifiers are simple like “MIT” or “IJG,” while others can be more complex if the package author uses a composite license. Identifiers can also change over time, resulting in versioned licenses, such as Apache-1.0, Apache-1.1, and Apache-2.0.

An expression-type license appears in the .nuspec file like this:

<license type="expression">MIT</license>

File

A file-type license is simply a file included in a NuGet package’s metadata that can be opened and read. The file is typically in .txt or .md format.

A developer would typically use a file-type license when the license is proprietary or otherwise non-standard (e.g., not covered by the SPDX license list).

Here’s how a file-type license appears in the .nuspec file:

<license type="file">LICENSE.txt</license>

URL

Finally, a URL-type license is a URL within the NuGet package’s metadata that leads to a page with the license text. It’s possible the URL could lead to an SPDX license or a proprietary one.

However, URL-based licenses are subject to change, since the license content is not embedded within the NuGet package itself. At any time, the URL author can change the license the URL links to. For example, a developer could download a package and find that the URL leads to an Apache-1.1 license, but the URL author could later change it to lead to an Apache-2.0 license, which the developer did not originally agree to.

Because of this, it’s important to save a copy of the license content at the time of download in case the linked license changes later.  

This is how a URL-type license appears in the .nuspec file:

<licenseUrl>license.com/license_agreement</licenseUrl>

Stay Vigilant: Check Licenses

Open-source licenses aren’t just fine print—they can cause real problems if ignored. The Entr’Ouvert v. Orange case is proof that even small oversights can have major consequences.

Everyone from managers to CEOs should familiarize themselves with NuGet licenses and know how to assess them to stay ahead of compliance issues. With tools like ProGet, you can take it a step further by automating license checks and ensuring compliance effortlessly.

We covered a lot here, so don’t forget to save it somewhere or bookmark it! Or even better, why not grab our eBook, “NuGet at Scale”? It dives into NuGet package license types, private NuGet servers, and so much more! Get your free copy today!