Copyleft Licenses
License Checking
I’ve been through a couple of due diligence processes now (sales, funding rounds), and one question that always gets asked is whether we have any dependencies with a copyleft (viral) license in our codebases. This includes the full dependency tree for every dependency so it can be a bit of a scramble working this out (and fixing it) across many repos in a short space of time. Having been bitten by this a couple of times I’ve now learnt that it’s a good practice to get a basic license checker wired into your CI for each repo nice and early - stopping it from becoming a problem in the first place as you can fail the release if the license is viral. In short, add it to your service template and never think about it again (hopefully). In this post I’ll set out how you can do this for a js codebase in under 2 minutes, and a list of licenses to consider screening.
Which licenses should I exclude?
Obviously if you have access to a lawyer you should ask them, but here’s a set of licenses that you could use as a starting point. This is not exhaustive or intended to be. Worth noting as well as a rule of thumb that it’s production code that counts so dev dependencies can be excluded from any check. We also need to cover all versions of each of these licenses:
- The GNU General Public License (GPL)
- The Affero GPL (AGPL)
- The Lesser General Public License (LGPL)
- The Eclipse Public License (EPL)
- The Mozilla Public License (MPL)
Setting up license checking
OK, we have our list of licenses, let’s get automating. We do this using a tool called license-check. Add the license-checker package to your dev dependencies, then create a shell script in your repo with the following contents:
#!/bin/sh
license-checker --failOn 'AGPL-1.0-only;AGPL-1.0-or-later;AGPL-3.0-only;EPL-1.0;EPL-2.0;GPL-1.0-only;GPL-1.0-or-later;GPL-2.0-only;GPL-2.0-or-later;GPL-3.0-only;GPL-3.0-or-later;LGPL-2.0-only;LGPL-2.0-or-later;LGPL-2.1-only;LGPL-2.1-or-later;LGPL-3.0-only;LGPL-3.0-or-later;MPL-1.0;MPL-1.1;MPL-2.0;MPL-2.0-no-copyleft-exception' --production
Call this shell script from your package.json and make sure this step is called from your CI. Done!