license-checker
license-checker copied to clipboard
davglass
'direct' option is nor working as expected
I'm noticing the same thing.
In my case license-checker --direct is listing packages which are not included in my package.json dependencies. I guess the issue is related to how newer versions of npm structures the node_modules folder.
Hi! I am experiencing similar issues. I stepped through it, apparently this is an issue with read-installed. The depth option is simply being ignored.
https://github.com/npm/read-installed/issues/47
I got it working by downgrading to npm 2, that uses a different folder structure for node_modules as @aeirola said.
npm i -g npm@2
// remove node_modules
npm i
license-checker --direct
As I mentioned above, the issue is https://github.com/npm/read-installed. It relies on the old, layered node_modules format and does not work with the present flat node_modules, so it regards all packages inside node_modules as direct dependencies. We would have to rewrite this program to not use read-installed anymore.
I hacked together an ugly workaround for anyone who's interested. You'd need to adjust it to your needs, but this is the gist of it:
const checker = require('license-checker');
const packageJson = require('./package.json');
const dependencies = packageJson.dependencies;
const devDependencies = packageJson.devDependencies;
checker.init({
start: '.',
}, function (err, packages) {
const output = {
dependencies: {},
devDependencies: {},
};
if (err) {
console.error(err);
} else {
Object.keys(packages).forEach((pkg) => {
const pkgName = pkg.replace(/@[^@]+$/, '');
if (dependencies[pkgName]) {
output.dependencies[pkgName] = packages[pkg];
}
if (devDependencies[pkgName]) {
output.devDependencies[pkgName] = packages[pkg];
}
});
console.log(JSON.stringify(output, null, 2));
}
});
It just loads your package.json and filters the packages based on ones listed there.
Have the same issue that direct is not working.
@tasn
Did something similar like you, but the downside of this solution is that this hack does not detect sub dependencies which are also defined in the package.json as main version.
Example: In the package.json the package foo is in version 1.2.3, but the package bar has foo as a sub dependency in version 1.5.8. The output with this hack would be foo twice, in version 1.23 and 1.5.8
Not with my solution... I use a hash based on the package name so it will only include one of them. Try the code above...
Oh yes, that's right, but you still down’t know which is the right version to include (main dependency or sub dependency).
That's correct, though it doesn't matter in my use-case, as I only use it for attribution and don't even use the version number.
webpack-license-plugin seems like an interesting alternative. It is a webpack plugin which seems to result in it doing tree shaking, only including licenses for what you would distribute.
I'm a legal noob but maybe we only need to include licenses of what we distribute?
npm-license-crawler is working fine in order to get direct dependencies but here the issue is, we don't have an option like "--failOn", which is available in license-checker. It is typically useful in the pipeline where you want to fail the job/build where specific licenses available in the given source. Do we have any alternate in npm-license-crawler? Thanks in advance.
I invite all of you to go and try my fork of license-checker in it's latest version 3.0.1 that hopefully finally fixed this issue.
