Forgotten part of application development: external packages licenses audit
Table of Contents
Nowadays having external libraries inside our applications is something normal. We usually do not want to invent a vehicle once again, so we use already created stuff to solve our problems. We cannot forget about an important part of each application development: to check installed dependencies licenses. If we won’t do this we expose ourselves to negative legal consequences, because one of the used libraries may be developed under a toxic license.
Why is the license audit so important?
Imagine a situation where you installed a useful package into your application. You are working for a big company which invented a new innovative solution. They are going live and here is the thing… The installed library was under GNU GPL license which is known as a toxic one. Now your employer is obligated to make the solution publicly available, because that license requires him to do that.
Manual licenses review
One of the options is to manually check all of the installed packages before going live, collect information about their licenses and write a summary. This kind of work can be very unhandy and we can make a mistake or miss something, because today applications usually consist of hundreds of external libraries. Also libraries can install other packages under the hood. Manual work in this area is totally useless if our system has many third party libraries. Second thing is that we always want to save the result of our work, so we need to prepare appropriate output documentation.
Automatic license check
Like it always happens, someone probably already faced that problem and now thanks to that we can use someone’s solution. We can distinguish many tools which automatically check licenses and generate output reports. In node.js ecosystem we have two very popular dependency managers: npm and yarn. They provide custom solutions to achieve our goal.
For example in yarn we have yarn licenses list command, it generates following output:
yarn licenses list command result
If it is about npm package manager there is no built-in command. We have to pick one of the available tools. We can distinguish three the most known:
License audit with license-checker package
By using a license-checker we can generate very readable licenses reports. To use it we can e.g. install it globally via npm: npm install -g license-checker. Then go to your project files and simply run the following command: license-checker. It will give us very similar result as yarn licenses:
license-checker command result
Using this package we can also generate a summary which tells us how many dependencies we have under specific license types. To get this simply run: license-checker --summary.
license-checker –summary command result
BOM file
After we generate a license report we should persist it and inform our employer about licenses of external packages we use. Good approach is to persist the BOM file in our version control system. BOM is Bill of Materials, a text file which may contain results of running e.g. a license-checker tool. Generation of that file is very simple, we can stream command results directly into the BOM file: license-checker > BOM.txt. Ideally we can write CI (continuous integration) pipeline procedure which fails if we use a package written under an unallowed license.
Summary
As a developer you cannot forget to audit installed packages in your project, because if you won’t do this it may negatively affect your company. To achieve this you can use one of many available tools. It is also recommended to actively inform your employer about third party library licenses, for example by sharing generated BOM file. If you want, you can also automate the license audit process by providing a dedicated CI pipeline script.
