Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: Treatment of UNLICENSED when package not private #262

Open
Undistraction opened this issue Jul 27, 2022 · 3 comments
Open

Bug: Treatment of UNLICENSED when package not private #262

Undistraction opened this issue Jul 27, 2022 · 3 comments

Comments

@Undistraction
Copy link

Undistraction commented Jul 27, 2022

We have a monorepo and publish private packages from it to NPM to be consumed by our applications.

The config for a package includes:

"name": "@example/packageName",
"license": "UNLICENSED",
"publishConfig": {
    "access": "restricted"
},

Packages marked as private: true are not published to the registry, so packages publishing private packages to NPM cannot use this.

From the NPM docs.

private

If you set "private": true in your package.json, then npm will refuse to publish it.

This is a way to prevent accidental publication of private repositories. If you would like to ensure that a given package is only ever published to a specific registry (for example, an internal registry), then use the publishConfig dictionary described below to override the registry config param at publish-time.

Inside apps that consume our packages we are running license-checker. Instead of reporting our packages as UNLICENSED, it reports them as UNKNOWN. This is because if the value of package's license field is UNKNOWN a value of null is returned from license. There is a subsequent check for UNLICENCED, but it only happens for packages that have private: true.

It is perfectly valid to have a license of UNLICENSED for a non-private package when published and consumed in this way so this feels like a bug.

@Undistraction Undistraction changed the title Bug: Treatment of UNLICENCED Bug: Treatment of UNLICENSED when package not private Jul 27, 2022
@codepunkt
Copy link
Contributor

@Undistraction May I ask why you're running license checker?

@makker
Copy link

makker commented Feb 20, 2023

We have very similar situation and problem. We have several apps that use our internal npm packages from our internal npm registry. Our packages are not set private in package.json. The packages are for internal projects only, so they are not licensed. Therefore we have "license": "UNLICENSED", in package.json.

We use license-checker to list all packages we use and their licenses, to give our users the access to that information if they are to need it. This could be for legal, or what ever purpose. ATM the license-checker fallbacks to our readmes which can result to a security issue if someone mistakenly puts some delicate information there. Anyway, we don't want to show our readmes in the apps in the license page. They don't make any sense in the license list context.

We would very much appreciate the support to also list license info for unlicensed not private packages.

PS. This is a great library. Thank you for making it! 🙏

@bornes
Copy link

bornes commented Dec 6, 2023

If the project is under a MIT license (https://github.com/ngx-translate/core/blob/master/LICENSE), why isn't it in the package.json? It could make things easier to the license-checker

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants