HN Showcase
Back to browse
GitHub Repository

Scan npm dependencies for risky licenses

2 starsTypeScript

license checker for npm projects

by chrillemn·Mar 2, 2026·3 points·0 comments
Visit ProjectView on HN

AI Analysis

●●SolidSolve My ProblemShip It

License classifier for npm with CI enforcement, but tools like FOSSA and Snyk already own this.

Strengths
  • Risk-level classification catches AGPL/GPL before distribution without legal review.
  • Four-format output (table, JSON, CSV) lets you integrate with CI pipelines and reporting.
  • Zero external dependencies or cloud calls — runs entirely locally on node_modules.
Weaknesses
  • Crowded category (FOSSA, Snyk, WhiteSource) with more mature integrations and policy enforcement.
  • No transitive license inference — only reads what's in package.json, misses inherited licenses.
Target Audience

npm project maintainers, DevSecOps engineers, compliance-conscious teams

Similar To

FOSSA · Snyk Open Source · WhiteSource

Post Description

Hey everyone,

How do you handle license risk in projects with a lot of dependencies?

Do you check licenses before installing packages, or only later when it becomes a problem?

I built this tool because I wanted a quick overview of what I had actually pulled into one of my projects. It turned out one dependency was AGPL-3.0, which would have required me to open source the entire project if distributed.

That wasn’t my intention, so I replaced it with an alternative. But it made me realize how easy it is to accidentally introduce strong copyleft licenses without noticing.

Do you actively monitor dependency licenses, or is it something you only think about when legal/security gets involved?

Similar Projects