libraries.io
libraries.io copied to clipboard
Prefer repository license if it doesn't match package license
Before Christmas I was investigating with @tieguy the situation where a license is declared in a manifest file like package.json
which is different from the license declared in LICENSE
.
https://twitter.com/teabass/status/943093483228880898
This appears to happen when the package manager adds a license to the manifest file automatically and it's never fixed to match the actual license of the source code.
So in certain cases, when normalizing the license on a project I think we should prefer the repository license if:
- the repository is present and declares a valid SPDX license string
- the package has zero or one valid SPDX license declared
- the package license does not match the repository license
Note: This is a bit of a stop-gap until we actually start inspecting the source code of published packages