Documentation
Setup
Install license-cop
npm install license-cop --save-dev
Make a config file
npx license-cop init
Run license-cop
npx license-cop
The license-cop command will use an exit code of 0 if all your dependencies conform to the settings in your config file.
Config File
By default the --init flag will make a .licenses.json file, however you can use many different variations of file name and file type including:
- Spelling
licensesaslicences - Ending
licenseswithrc - Having the file be in a
.config/directory - Using:
.json,.jsonc,.json5,.yaml,.yml,.js, or.cjs - Using a
licensecopkey in apackage.jsonfile
Config file options
licenses
Specify all of the SPDX license codes that you’re allowing in your dependency tree. E.g.
{
"licenses": ["MIT", "ISC", "Apache-2.0"]
}
packages
Specify all of the packages you’re allowing, no matter what the license is. You can optionally lock packages by npm version ranges. E.g.
{
"packages": ["lodash", "axios@^2.0.0", "react@<16"]
}
extends
Specify another license-cop config file that this file should extend.
{
"extends": "@license-cop/permissive"
}
Values can be:
-
The name of an installed npm package (optionally prefixed with
npm:) that contains a license-cop config file.
@license-cop/permissiveornpm:@license-cop/permissive![](data:image/svg+xml;utf8,<svg version="1.1" width="24" height="24" viewBox="0 0 24 24" class="octicon octicon-light-bulb" aria-hidden="true" xmlns="http://www.w3.org/2000/svg"><path d="M12 2.5c-3.81 0-6.5 2.743-6.5 6.119 0 1.536.632 2.572 1.425 3.56.172.215.347.422.527.635l.096.112c.21.25.427.508.63.774.404.531.783 1.128.995 1.834a.75.75 0 0 1-1.436.432c-.138-.46-.397-.89-.753-1.357a18.111 18.111 0 0 0-.582-.714l-.092-.11c-.18-.212-.37-.436-.555-.667C4.87 12.016 4 10.651 4 8.618 4 4.363 7.415 1 12 1s8 3.362 8 7.619c0 2.032-.87 3.397-1.755 4.5-.185.23-.375.454-.555.667l-.092.109c-.21.248-.405.481-.582.714-.356.467-.615.898-.753 1.357a.751.751 0 0 1-1.437-.432c.213-.706.592-1.303.997-1.834.202-.266.419-.524.63-.774l.095-.112c.18-.213.355-.42.527-.634.793-.99 1.425-2.025 1.425-3.561C18.5 5.243 15.81 2.5 12 2.5ZM8.75 18h6.5a.75.75 0 0 1 0 1.5h-6.5a.75.75 0 0 1 0-1.5Zm.75 3.75a.75.75 0 0 1 .75-.75h3.5a.75.75 0 0 1 0 1.5h-3.5a.75.75 0 0 1-.75-.75Z"></path></svg>)
Tip@license-cop/permissive is a base config provided by us containing a curated list of permissive licenses. We think it’s a good starting point for all configs!
-
The name of a public github repository (prefixed with
github:) that contains a license-cop config file. This currently only supports config files called exactly.licenses.json.
github:tobysmith568/license-cop-config -
A URL to a license-cop config file. Currently this only supports json-like config files.
https://raw.githubusercontent.com/tobysmith568/license-cop-config/main/license-cop.json
![](data:image/svg+xml;utf8,<svg version="1.1" width="24" height="24" viewBox="0 0 24 24" class="octicon octicon-alert" aria-hidden="true" xmlns="http://www.w3.org/2000/svg"><path d="M13 17.5a1 1 0 1 1-2 0 1 1 0 0 1 2 0Zm-.25-8.25a.75.75 0 0 0-1.5 0v4.5a.75.75 0 0 0 1.5 0v-4.5Z"></path><path d="M9.836 3.244c.963-1.665 3.365-1.665 4.328 0l8.967 15.504c.963 1.667-.24 3.752-2.165 3.752H3.034c-1.926 0-3.128-2.085-2.165-3.752Zm3.03.751a1.002 1.002 0 0 0-1.732 0L2.168 19.499A1.002 1.002 0 0 0 3.034 21h17.932a1.002 1.002 0 0 0 .866-1.5L12.866 3.994Z"></path></svg>)
If you extend a remote file, and that in-turn extends an npm package, then you’re going to need to have that npm package installed locally. They’re not resolved dynamically from npmjs.com.
includeDevDependencies
false by default.
Set to true to make license-cop also check your dev-dependencies.
devDependenciesOnly
false by default.
Set to true to make license-cop only check your dev-dependencies.
CI/CD Example (GitHub Actions)
Running license-cop as a part of your CI process is a great way to catch issues before they land in your main branch.
Below is an example of how you can run license-cop in its own GitHub Action job for all PRs targetting main:
name: Check Licenses
on:
pull_request:
branches:
- main
jobs:
licenses:
name: Check Licenses
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
cache: npm
- name: Install dependencies
run: npm ci
- name: Run License-Cop
run: npx license-cop
The Action above will fail if any of your node_modules have a license that isn’t listed in your license-cop config file.