Including license in NPM packages

Question

Including license in NPM packages

paulbarmstrong opened this issue 3 months ago · comments

Paul B. Armstrong commented 3 months ago

Initial checklist

I read the support docs
I read the contributing guide
I agree to follow the code of conduct
I searched issues and couldn’t find anything (or linked relevant results below)

Problem

While scanning my dependencies I found that micromark NPM packages don't include their actual license file. I believe it would make sense for the micromark NPM packages to include the license since the MIT license requires that it be included in all copies or substantial portions of the Software.

Solution

Since there's 22 NPM packages in the repo and they would presumably all use the same license from the root repo directory, I propose adding a release script that copies the license file from the root repo directory into each of the package directories, like this from vue router. I think it would then make sense to allow git to ignore license files in the package directories (but still allow NPM to include them).

Alternatives

It could also be solved by copy-pasting the license into each of the package directories. I think that may not be preferrable due to causing duplicative content in the repo.

Remco Haszing · Answer 1 · Mon Mar 25 2024 17:40:33 GMT+0800 (China Standard Time)

I say we go for the alternative here.

It saves a build step.
The license doesn’t change anyway. Duplicating it isn’t a maintenance burden.
Different packages in a monorepo could have different licenses, i.e. with different years or copyright holders.
Other monorepos in the unified ecosystem do this as well.

Titus · Answer 2 · Mon Mar 25 2024 18:01:04 GMT+0800 (China Standard Time)

I believe it would make sense for the micromark NPM packages to include the license since the MIT license requires that it be included in all copies or substantial portions of the Software.

IANAL but AFAIK this hasn’t been fought out in a court, but first of all, everything has copyright by default. The license then gives you some rights. I’d assume that a judge will not assume the word MIT in a package.json or on the npm website will give people more lenient permissions than a whole copy of the license.

So, I’d wager, the code is MIT with or without that file existing in your node_modules folder.

I don’t really mind copying the files everywhere though. I’d also want to drop the copyright years. More projects are doing that.

Paul B. Armstrong · Answer 3 · Tue Mar 26 2024 08:46:55 GMT+0800 (China Standard Time)

Thanks. Here's a PR for dropping the year from the copyright and copying the file into all the NPM package directories: #168

github-actions · Answer 4 · Tue Mar 26 2024 18:31:17 GMT+0800 (China Standard Time)

Hi! This was closed. Team: If this was fixed, please add phase/solved. Otherwise, please add one of the no/* labels.