search

davglass / license-checker

Check NPM package licenses
Other
1.59k stars 215 forks source link

Bug: Treatment of UNLICENSED when package not private #262

Open Undistraction opened 2 years ago

Undistraction commented 2 years ago

We have a monorepo and publish private packages from it to NPM to be consumed by our applications.

The config for a package includes:

"name": "@example/packageName",
"license": "UNLICENSED",
"publishConfig": {
    "access": "restricted"
},

Packages marked as private: true are not published to the registry, so packages publishing private packages to NPM cannot use this.

From the NPM docs.

private

If you set "private": true in your package.json, then npm will refuse to publish it.

This is a way to prevent accidental publication of private repositories. If you would like to ensure that a given package is only ever published to a specific registry (for example, an internal registry), then use the publishConfig dictionary described below to override the registry config param at publish-time.

Inside apps that consume our packages we are running license-checker. Instead of reporting our packages as UNLICENSED, it reports them as UNKNOWN. This is because if the value of package's license field is UNKNOWN a value of null is returned from license. There is a subsequent check for UNLICENCED, but it only happens for packages that have private: true.

It is perfectly valid to have a license of UNLICENSED for a non-private package when published and consumed in this way so this feels like a bug.

codepunkt commented 1 year ago

@Undistraction May I ask why you're running license checker?

makker commented 1 year ago

We have very similar situation and problem. We have several apps that use our internal npm packages from our internal npm registry. Our packages are not set private in package.json. The packages are for internal projects only, so they are not licensed. Therefore we have "license": "UNLICENSED", in package.json.

We use license-checker to list all packages we use and their licenses, to give our users the access to that information if they are to need it. This could be for legal, or what ever purpose. ATM the license-checker fallbacks to our readmes which can result to a security issue if someone mistakenly puts some delicate information there. Anyway, we don't want to show our readmes in the apps in the license page. They don't make any sense in the license list context.

We would very much appreciate the support to also list license info for unlicensed not private packages.

PS. This is a great library. Thank you for making it! 🙏

bornes commented 9 months ago

If the project is under a MIT license (https://github.com/ngx-translate/core/blob/master/LICENSE), why isn't it in the package.json? It could make things easier to the license-checker