Have ideas to improve npm?Join in the discussion! »

    validate-npm-package-license
    DefinitelyTyped icon, indicating that this package has TypeScript declarations provided by the separate @types/validate-npm-package-license package

    3.0.4 • Public • Published

    validate-npm-package-license

    Give me a string and I'll tell you if it's a valid npm package license string.

    var valid = require('validate-npm-package-license');

    SPDX license identifiers are valid license strings:

     
    var assert = require('assert');
    var validSPDXExpression = {
      validForNewPackages: true,
      validForOldPackages: true,
      spdx: true
    };
     
    assert.deepEqual(valid('MIT'), validSPDXExpression);
    assert.deepEqual(valid('BSD-2-Clause'), validSPDXExpression);
    assert.deepEqual(valid('Apache-2.0'), validSPDXExpression);
    assert.deepEqual(valid('ISC'), validSPDXExpression);

    The function will return a warning and suggestion for nearly-correct license identifiers:

    assert.deepEqual(
      valid('Apache 2.0'),
      {
        validForOldPackages: false,
        validForNewPackages: false,
        warnings: [
          'license should be ' +
          'a valid SPDX license expression (without "LicenseRef"), ' +
          '"UNLICENSED", or ' +
          '"SEE LICENSE IN <filename>"',
          'license is similar to the valid expression "Apache-2.0"'
        ]
      }
    );

    SPDX expressions are valid, too ...

    // Simple SPDX license expression for dual licensing
    assert.deepEqual(
      valid('(GPL-3.0-only OR BSD-2-Clause)'),
      validSPDXExpression
    );

    ... except if they contain LicenseRef:

    var warningAboutLicenseRef = {
      validForOldPackages: false,
      validForNewPackages: false,
      spdx: true,
      warnings: [
        'license should be ' +
        'a valid SPDX license expression (without "LicenseRef"), ' +
        '"UNLICENSED", or ' +
        '"SEE LICENSE IN <filename>"',
      ]
    };
     
    assert.deepEqual(
      valid('LicenseRef-Made-Up'),
      warningAboutLicenseRef
    );
     
    assert.deepEqual(
      valid('(MIT OR LicenseRef-Made-Up)'),
      warningAboutLicenseRef
    );

    If you can't describe your licensing terms with standardized SPDX identifiers, put the terms in a file in the package and point users there:

    assert.deepEqual(
      valid('SEE LICENSE IN LICENSE.txt'),
      {
        validForNewPackages: true,
        validForOldPackages: true,
        inFile: 'LICENSE.txt'
      }
    );
     
    assert.deepEqual(
      valid('SEE LICENSE IN license.md'),
      {
        validForNewPackages: true,
        validForOldPackages: true,
        inFile: 'license.md'
      }
    );

    If there aren't any licensing terms, use UNLICENSED:

    var unlicensed = {
      validForNewPackages: true,
      validForOldPackages: true,
      unlicensed: true
    };
    assert.deepEqual(valid('UNLICENSED'), unlicensed);
    assert.deepEqual(valid('UNLICENCED'), unlicensed);

    Install

    npm i validate-npm-package-license

    DownloadsWeekly Downloads

    13,839,308

    Version

    3.0.4

    License

    Apache-2.0

    Unpacked Size

    16.6 kB

    Total Files

    4

    Last publish

    Collaborators

    • avatar