Closed honzajavorek closed 6 years ago
I've made an analysis. I took all packages listed at https://www.npmjs.com/~sindresorhus, tried to install them and to detect whether they have license on GitHub and whether they have the license attached to the resulting npm package distribution.
I'm attaching my dirty Python script I wrote to do the analysis, as well as the results of the analysis.
check.py sindresorhus-analysis.txt sindresorhus-packages.txt
FYI, the package.json
still specifies the license: https://github.com/sindresorhus/is-path-cwd/blob/master/package.json#L5
@sindresorhus specifies a package’s files using the files
array in package.json
. Nowadays, npm always includes the license file but this hasn’t always been the case: see https://github.com/npm/npm/issues/5529 for the original feature request in 2014 and https://github.com/npm/npm/issues/12564 for a bug report in 2016.
I’m guessing the packages missing the license files have been published with a version of npm that did not include this feature (or which included the aforementioned bug).
@rowno That’s not legally sufficient - you really need to attach the full license text, and the copyright notice.
@sonicdoe So that means when someone uses files
and they do not specify the license there explicitly, it is excluded from the package? :scream:
I thought it can only happen with .npmignore
. That’s actually terrible news.
I mean, used to exclude, as you say it shouldn’t be the case anymore. But still. That means hundreds of code in npm is effectively unlicensed.
I filed issues on projects with names beginning to is-
. I don't want to be a PITA, but as many npm projects depend on these, they're transitively problematic regarding licensing and it causes problems to my projects. I'm open to help with resolving the issues as much as I can, as a contributor. Possibly, I'll be opening Pull Requests with the license
being added to files
and with a patch version bumped, so @sindresorhus isn't overwhelmed much by this issue.
Thanks for reporting this, @honzajavorek. I'll get them all fixed soon.
This was solved a long time ago but I forgot to comment back here.
I'm not involved in the Grunt project anymore, so I can't handle the grunt-contrib-*
modules.
Basically all your packages contain a license file. It is usually lowercased and it usually contains a MIT license. However, many of your packages do not include the license in their npm distribution, although the file is present in the GitHub repository.
First, this is a problem, as effectively the npm package code is distributed unlicensed and cannot be used anywhere (where they care about licenses). It needs to be distributed with a full license text attached.
Second, I couldn't figure out how it can happen. I think not including the license file is just a mistake, not an intention, especially given some other packages of yours are correctly distributed with the
license
file inside. There's no.npmignore
file or anything which should prevent the file to get to the final tarball before publishing to npm, but still, it isn't there. To me, it's a mystery on how it's possible the license file doesn't get packaged and uploaded to the npm.One example: https://github.com/sindresorhus/is-path-cwd