search

jslicense / licensee.js

check dependency licenses against rules
https://www.npmjs.com/package/licensee
Apache License 2.0
186 stars 15 forks source link

Support 'LicenseRef' license name when initializing the package.json with 'npm init' command #76

Closed dd-jy closed 2 years ago

dd-jy commented 2 years ago

Why cannot use 'LicenseRef' license name when initializing the package.json with 'npm init' command?

image

If users wants to add the proprietary license name in package.json, they may also want to add the license name to match the spdx license expression. Because it is easier to manage the license name of their package than using 'SEE LICENSE IN '.

What about changing to accept 'LicenseRef-' spdx license expression?

kemitchell commented 2 years ago

Licensee is a CLI tool for auditing dependency licenses. It's not part of npm CLI.

dd-jy commented 2 years ago

@kemitchell Actually, I requested this issue in npm-rfcs(https://github.com/npm/rfcs/discussions/563). Then, can you tell me where I can post it?

ljharb commented 2 years ago

Does licensee support this kind of SPDX expression? If so, it’s an npm issue, but i assumed that if it did, npm would automatically support it.

ljharb commented 2 years ago

(or is licensee not what npm uses to validate spdx expressions? It’s certainly what it’ll use for npm audit licenses)

dd-jy commented 2 years ago

@kemitchell I searched the licensee code, and licensee only allows the spdx license list names (https://www.npmjs.com/package/spdx-osi). In SPDX license expression, it also supports 'LicenseRef-' spdx license expression. So I request it to licensee.

kemitchell commented 2 years ago

It’s certainly what it’ll use for npm audit licenses

Is that a future plan? I was not aware.

I see CLI is currently using licensee to audit their own deps:

https://github.com/npm/cli/blob/d8d374d23d34c17e22b52afc1cfb5247cc7c3e1d/package.json#L215=

But I don't see it in the CLI codebase otherwise.

kemitchell commented 2 years ago

@dd-jy: I don't have time to help you route your question. Please direct to the npm team if you have an issue with npm.

@ljharb: The LicenseRef concept is an obscure SPDX thing, and not one that either npm CLI or licensee should entertain, in my opinion. I'm sure there are old npm CLI issues where Forrest and I discussed, from way back when.

ljharb commented 2 years ago

In that case, sorry for the noise here, that's my bad.

@dd-jy you'd need to file an npm RFC to discuss changing it, but @kemitchell's opinion carries a lot of weight here.