Disclaimer: I am not a lawyer and this is not legal advice
Let’s explore what licenses are used for the top 5 packages in NPM by stars and see legally, a tool I made to analyze your project’s libraries.
#0 Express
As expected from this widely used project, there are no surprised since the people working on express did their jobs. It’s surprising that a project of this size has 42 total licenses including indirect ones. Wild guess: it is because they split many parts such as body-parser into separated libraries.
legally express -lr
MIT license, ISC License, BSD3 Clause
#1 Gulp
Things are clear here since the recent patch:
legally gulp -lr
MIT License, ISC License, CC0, BSD 3 Clause, Apache 2.0, CC BY 3.0, Unlicense
#2 request
We see that not everything is smooth and there is one “license” with the text “SEE LICENSE IN COPYING.txt”:
legally request -lr
MIT license, BSD3 Clause, Apache 2.0, ISC License, AFL 2.1, BSD 4 Clause, CC0
Let’s check which of the packages it has contains this warning:
legally request -p
CC0 in disguise
#3 async
Async only depends on lodash:
legally async -lr
#4 lodash
Which doesn’t depend on any other package so this one is easy, let’s show only the packages:
legally loadsh -p
Sure enough lodash’s LICENSE has both licenses
This list is 0-indexed, so don’t look for library #5 (;
All of them
Let’s cut to the chase and see them all together. It will take a while though.
legally express gulp request async lodash -lr
Seems like no broken licenses are available for the top-5 libraries, so we can safely use them. Are your libraries as safe as those? Check them out:
legally ANY_OR_YOUR_LIBRARY
Or just go to your project and check what licenses you are using:
cd ./MY_PROJECTlegally
If you want this or similar functionality included in npm by default 👍 my feature request in NPM repository (in reactions, not as a comment).
Thanks. for question or suggestions email me or open an issue in Github.