noUntrustedLicenses
Summary
Section titled “Summary”- Rule available since:
v2.4.9 - Diagnostic Category:
lint/nursery/noUntrustedLicenses - This rule doesn’t have a fix.
- The default severity of this rule is warning.
- This rule belongs to the following domains:
How to configure
Section titled “How to configure”{ "linter": { "rules": { "nursery": { "noUntrustedLicenses": "error" } } }}Description
Section titled “Description”Disallow dependencies with untrusted licenses.
When you install a dependency, it comes with a license that defines how you can use it. Some licenses may not be compatible with your project’s requirements. For example, a proprietary project may not be allowed to use copyleft-licensed dependencies, or your organization may require all dependencies to use OSI-approved licenses.
This rule reads the license field from each dependency’s package.json inside
node_modules and checks it against the SPDX license list.
It supports compound expressions like MIT OR Apache-2.0.
By default, the rule flags dependencies that:
- Have no
licensefield. - Have a license that is not a valid SPDX identifier.
- Have a license deprecated in the SPDX standard.
Examples
Section titled “Examples”Invalid
Section titled “Invalid”A dependency whose package.json has "license": "my-custom-license" is
flagged because the identifier is not part of the SPDX standard:
{ "dependencies": { "untrusted-pkg": "^1.0.0" }}A dependency whose package.json has no license field at all is also
flagged:
{ "devDependencies": { "no-license-pkg": "^1.0.0" }}A dependency whose package.json has "license": "MIT" passes because
MIT is a valid, non-deprecated SPDX identifier:
{ "dependencies": { "trusted-pkg": "^1.0.0" }}Options
Section titled “Options”A list of extra license identifiers to accept, even if they are not part of the SPDX standard. This is useful for custom or proprietary licenses used inside your organization.
Default: []
{ "linter": { "rules": { "nursery": { "noUntrustedLicenses": { "options": { "allow": [ "LicenseRef-Company", "my-org-license" ] } } } } }}A list of license identifiers to explicitly reject, even if they are valid SPDX identifiers. This lets you block specific licenses that your project cannot use, for example, copyleft licenses in a proprietary codebase.
Deny always takes precedence over allow and SPDX validity.
Default: []
{ "linter": { "rules": { "nursery": { "noUntrustedLicenses": { "options": { "deny": [ "GPL-3.0-only", "AGPL-3.0-only" ] } } } } }}requireOsiApproved
Section titled “requireOsiApproved”When enabled, only licenses that have been approved by the
Open Source Initiative are accepted.
Licenses in the allow list bypass this check.
Default: false
{ "linter": { "rules": { "nursery": { "noUntrustedLicenses": { "options": { "requireOsiApproved": true } } } } }}requireFsfLibre
Section titled “requireFsfLibre”When enabled, only licenses that are recognized as free/libre by the
Free Software Foundation
are accepted. Licenses in the allow list bypass this check.
Default: false
{ "linter": { "rules": { "nursery": { "noUntrustedLicenses": { "options": { "requireFsfLibre": true } } } } }}ignoreDeprecated
Section titled “ignoreDeprecated”When enabled, deprecated SPDX license identifiers are accepted without
being flagged. By default, deprecated identifiers such as GPL-2.0 (which
should be GPL-2.0-only or GPL-2.0-or-later) produce a diagnostic.
Default: false
{ "linter": { "rules": { "nursery": { "noUntrustedLicenses": { "options": { "ignoreDeprecated": true } } } } }}Related links
Section titled “Related links”Sponsored by
Copyright (c) 2023-present Biome Developers and Contributors.