Hello all!
I recently got the itch to learn a little more about open source licenses - how they interact, how they’re enforced, what they mean for your codebase. I was quite surprised when I found out there’s very little that automates license checking, making it super easy to install a copyleft license into your proprietary software if you aren’t paying attention.
So I decided to fix that. Presenting Depscheck - a CI tool which can alert you when you’re using dependencies which are incompatible with your project’s license. Features include the ability to define your license type and explicitly ignoring packages - for example, if you are paying for a proprietary package.
A small note - it turns out that there is no enforced consistency for license names. Here are some alternate spellings for Apache 2.0 I’ve found:
“apache-v2.0” => “apache-2.0”,
“apache-v2-0” => “apache-2.0”,
“apache-2.0” => “apache-2.0”,
“apache-v2” => “apache-2.0”,
“apache2” => “apache-2.0”,
“apache2.0” => “apache-2.0”,
# APL (typo/variation) → Apache
“apl-2.0” => “apache-2.0”,
“apl-v2.0” => “apache-2.0”,
“apl-v2-0” => “apache-2.0”,
“apl-v2” => “apache-2.0”,
“apl2” => “apache-2.0”,
“apl2.0” => “apache-2.0”
Depscheck tries to be smart - it’s case insensitive, normalizes the names to use dashes, and tries to deal with numbers. But I can’t predict everything, so any contributions would be greatly welcomed!
