Clarify how license is determined

[peteruithoven]

For some reason license-checked can't figure out the license for uid-number (package.json v0.0.6) and pouchdb-collections (package.json v1.0.1). Even though in both cases they do have a seemingly valid license field in their package.json.

I've checked with DEBUG=license-checker* and I don't see an error. I'm using license-checker 13.0.2, I've checked the package.json's of the versions I'm using (checking package-lock.json)

Could a little bit of documentation be added on how license-checker determines the license?

[davglass]

Interesting, it works when I test it:

license-checker 
├─ pouchdb-collections@6.3.4
│  ├─ licenses: Apache-2.0
│  ├─ repository: https://github.com/pouchdb/pouchdb
│  ├─ publisher: Dale Harvey
│  ├─ email: dale@arandomurl.com
│  └─ licenseFile: /Users/davglass/src/tmp/node_modules/pouchdb-collections/LICENSE
└─ uid-number@0.0.6
   ├─ licenses: ISC
   ├─ repository: https://github.com/isaacs/uid-number
   ├─ publisher: Isaac Z. Schlueter
   ├─ email: i@izs.me
   ├─ url: http://blog.izs.me/
   └─ licenseFile: /Users/davglass/src/tmp/node_modules/uid-number/LICENSE

[peteruithoven]

Apologies, I was looking wrong in regards to uid-number, it was uglifyjs that was giving issues. (update: a package I was apparently no longer using, so this isn't an issue for me personally) (update 2: NPM can't find that license (or even repo) either)

In regards to pouchdb-collections I don't understand where you found v6.3.4, I've got v1.0.1.

[davglass]

pouchdb-collections latest is 6.3.4: http://registry.npmjs.com/pouchdb-collections/latest works since it's using a valid SPDX syntax in the package.json Apache-2.0

pouchdb-collections 1.0.1: http://registry.npmjs.com/pouchdb-collections/1.0.1 is using plain text which isn't being parsed Apache 2

license-checker moved to supporting SPDX from the package.json when npm did. We only fall back to parsing license files when no valid SPDX declaration is found.

Does that help explain it better?

[peteruithoven]

I'm not sure what you mean with plain text? Apache 2 is not valid SPDX syntax? So it doesn't check the license file?

But this is all interesting, shouldn't this be documented in the Readme? That it first checks the package.json, for a license field. If that's valid SPDX syntax it checks the LICENSE file? Otherwise, it reports unknown? How / in what cases does it fallback to checking the README, LICENSE, COPYING, ... etc?

[davglass]

I'll take your feedback about adding more docs to the README, it's a complicated subject to cover :)

As for the pouchdb-collections module, version 1.0.1 only contains 3 files. README.md, package.json and index.js. There is no LICENSE file for it to parse and the README doesn't contain a license string either. The only thing available is the package.json which contains an invalid SPDX identifier. I don't control the SPDX identifiers, it's a licensing standard that came out probably after this version of the module was written which is why the newer versions have the valid syntax in the field. I use this library to determine if the SPDX syntax is correct: https://www.npmjs.com/package/spdx

Initially I did try to "parse" the data from the license field in the package.json but that was much harder than you would think, there are way too many licenses out there. So when npm chose to use SPDX, I did the same thing. Only if that syntax check fails do I fall back to parsing the 'LICENSE', 'LICENCE', 'COPYING', & 'README' files and then try to determine the license type based on the text of those files.

[davglass]

I have added this to the README: https://github.com/davglass/license-checker#how-licenses-are-found

[peteruithoven]

Thanks, that very clear. I've created a pull request with some text corrections. Afterwards I'll also try to do a proposal for when it falls back to reporting unknown.