license-checker icon indicating copy to clipboard operation
license-checker copied to clipboard

Published 20 hours ago verified publisher icon davglass

Be able to specify unknown license

Open CatalinaMoisuc opened this issue 6 years ago • 6 comments

Sometimes one License is UNKNOWNand would be nice to be able to specify the license if the license-checker doesn't find it. Example:

├─ [email protected] │ ├─ licenses: UNKNOWN │ ├─ repository: https://github.com/devongovett/png.js │ ├─ publisher: Devon Govett │ ├─ email: [email protected] │ ├─ url: http://badassjs.com/ │ ├─ path: /png-js │ └─ licenseFile: /node_modules/png-js/README.md

When you go to the repo, there is a LICENSE file (no *.txt) and also Github recognizes it as being MIT. It would be nice if I could just say something like: --include '[email protected];MIT' or provide a path to a config file: --unknownLicenses 'licenses.yml' to specify unknown licenses that would be taken in consideration for the output when a license is not found.

CatalinaMoisuc avatar Jan 25 '19 13:01 CatalinaMoisuc

This is one of those weird packages.. The tarball for 0.1.1 does not contain the LICENSE file:

$ npm install png-js
$ ls node_modules/png-js/
README.md  images  index.html  package.json  png-node.coffee  png-node.js  png.coffee  png.js  zlib.js
$ cat node_modules/png-js/package.json | grep version
  "version": "0.1.1"

It looks like the LICENSE file was added to the repo after the 0.1.1 package was released. In this case license-checker is doing exactly what it was supposed to do. If the LICENSE file was in the published package then license-checker would detect it properly and it would be good. However since it was published and distributed without a license, it's technically unlicensed code.

davglass avatar Jan 25 '19 16:01 davglass

@davglass thank you for clarifying. I understand that this is a weird package, but still, it would be nice to be able to manually specify missing licenses when are not found. It would bring a huge plus especially since other similar libraries are already offering this possibility.

CatalinaMoisuc avatar Jan 30 '19 08:01 CatalinaMoisuc

I'm not really a fan of overriding the license that was detected. That's a pretty dangerous thing to do. In this case it's a valid issue. The version of that package is not licensed MIT, it's unlicensed as it was distributed without a license. Just allowing an arg to say "ignore the license that is sees, and make it something else" defeats the purpose of this module. It can lead to all kinds of false issues.

davglass avatar Jan 30 '19 20:01 davglass

@davglass yes indeed, in this case, but when the license exists but it is not detected because it was not added in the right place, that is a case when you would want to override it.

CatalinaMoisuc avatar Jan 31 '19 07:01 CatalinaMoisuc

I second that, I need to whitelist allowed licenses and fail the build if other licenses are used. Having a local file where we can specify the license makes it possible to include it, without that I would need to allow unknown and unlicensed modules, which in my opinion is worse that the ability to override it.

At least the override file will be version controlled and reviewed every time it is modified.

dcendents avatar Sep 24 '19 18:09 dcendents

@CatalinaMoisuc Had a similiar issue. May be it is still of interest, here you go: https://github.com/mgreg89/license-checker

mgreg89 avatar Sep 13 '20 18:09 mgreg89