Check Your JavaScript Dependencies' License Requirements with tldrlegal
Jan 28, 2017
You've just finished working on your shiny new JavaScript project, after months of hacking away at it, living on nothing but granola bars and instant ramen noodles, and making use of hundreds of npm dependencies. The JavaScript ecosystem is great in that sense, where a package exists for almost everything you want to achieve, and reinventing the wheel is not usually necessary.
However, this comes at a price. The more dependencies you rely upon in your projects, the higher the chance one of those dependencies, or one of its dependencies, has a restrictive license that requires you to fulfill some unusual obligation.
How unusual?
Did you know that some open source software licenses require you to disclose your source code in its entirety if you use a package with such a license, such as the GPL-2.0
and AFL-3.0
licenses?
Or that there are software licenses that require you to explicitly mention the software in all of your product's advertising materials, such as the original BSD 4-Clause
license?
Some of these obligations are not easily met for commercial projects, which are usually closed source. Every organization has these, yes, even GitHub and npm do not open source all of their code.
Chances are, if your project has over 15 dependencies, at least one of their dependencies or their dependencies' dependencies is using a restrictive license with unusual obligations. If you don't check thoroughly and fulfill such obligations, you're susceptible to legal action by the package author(s), even if your project is free to use and open sourced.
Now, if you were to commercially distribute your project using a dependency with an unmet obligation, and that third party were to find out about it, well, let's hope that never happens.
You can easily prevent this from ever happening by using a new tool I released called tldrlegal
.
tldrlegal
tldrlegal is a Node.js command-line tool that checks your dependencies for license requirements using a legal resource called tldrlegal.com, which provides plain English software license interpretations.
tldrlegal
makes use of legally, a Node.js package that does an excellent job at determining your dependencies' licenses, using their package.json
file, the README.md
file, and the LICENSE
file, since package maintainers use either of those to mention their license of choice. It turns out this is not the easiest of tasks, but legally
still manages to do it with great accuracy.
tldrlegal.com lets you find pretty much any popular software license, and be able to quickly understand what you can and can't do with that license, as well as what you must do if you make use of software with such license. Without this website, tldrlegal
could not exist.
How to use tldrlegal
Simply install tldrlegal
globally via npm
and run it in your project directory. The output will contain a summary and detailed information for each package with a licensing requirement, such as credit attribution, source disclosure, etc.
npm install -g tldrlegal
cd my-js-project
tldrlegal
If any license restrictions are found, tldrlegal
will output them to the console, along with a brief description:
That's it, let me know what you think and if you have any ideas on how to improve tldrlegal
!
Disclaimer
No legal-advising tool is ever complete without a proper disclaimer.
- This tool is not a replacement for proper legal consultation.
- Please be advised that the information provided by this tool may not be 100% accurate.