Become a member
to unlock all features

Level Up!

Access all courses & lessons on egghead today and lock-in your price for life.


    Use licensee.js to Check Dependencies for Accepted Library Licenses


    In this lesson we'll use licensee.js to see how to configure accepted license types for our project. We'll also explore how to use whitelist overrides to allow specific libraries that may not match our license configuration. We'll also setup an npm script to show a more visible exit code 1 failure.



    Become a Member to view code

    You must be a Pro Member to view code

    Access all courses and lessons, track your progress, gain confidence and expertise.

    Become a Member
    and unlock code for this lesson
    orLog In




    Licensee is an easy way to check that your packages are using licenses that you're allowed to use. First, we'll install licensee globally. Next, we'll go to our project and we'll need to create a file called license.licensee.json. This will be our configuration file that tells licensee which licenses we're allowed to use.

    Now, we'll specify a configuration object, and then add a license key as well as the licenses that we support. This one includes MIT Apache 2.0BSD-2-Clause, 3-Clause, ISC, and Creative Commons. These license types are referring to the licenses that are specified in libraries package.json.

    If we go and look at a package.json of a particular library, we can see that the license clause has a specific Apache 2.0type. However, this can be whatever the library maintainer wants.

    To see the full list of license types that are accepted, you can go to the NPM JS documentation for the package.json license field. You can see that there are different structures that you can specify as well as the full list of SPDX license list types, as well as the identifiers that you should put into the licensee.json file, so that it will know how to parse the proper license type.

    To start using licensee, we need to complete our configuration. We'll go back to our licensee.json file and we'll add a whitelist that is empty. Now, when we go install a particular dependency, for example, if we install react, and then type licensee, we can see which rules are used and which ones are approved by our configuration.

    To see whether or not this licensee was a success, we can scroll down and type echo $? to see the exit code of our previous command. The exit code was 0However, if we were to modify this and only accept BSD-3-Clause licenses, and then rerun licensee, we can see that because these are MIT, they are not approved. We can do that as well and see that an exit code of 1, which would cause a CI or whatever else to fail.

    Now, there may be libraries that you want to override and ignore the license type for whatever reason. to accomplish this, we would need to specify in our whitelist the name and the version that you want to override.

    For example, we might want to override the whatwg-fetch and for Version 2.03, which we can see here. Now, if we rerun licensee, we can see that it was approved by the whitelist. Now, we might want to assign the licensee command to a package.json, so that it will work better with our CI.

    In our package.json, in a script, we can create a named script we'll call check, and we'll run licensee. Now, when I type npm run check, we will get the exit code status 1, saying that licensee has failed.