lendable / composer-license-checker
Composer license checker
Installs: 103 364
Dependents: 4
Suggesters: 0
Security: 0
Stars: 11
Watchers: 37
Forks: 0
Open Issues: 6
Type:project
Requires
- php: ~8.2.0 || ~8.3.0
- composer-runtime-api: ^2.2
- symfony/console: ^5.4 || ^6.0 || ^7.0
- symfony/process: ^5.4 || ^6.0 || ^7.0
Requires (Dev)
- ergebnis/composer-normalize: ^2.43.0
- lendable/phpunit-extensions: ^0.3
- php-cs-fixer/shim: ^3.59.3
- phpstan/phpstan: ^1.11.6
- phpstan/phpstan-deprecation-rules: ^1.2.0
- phpstan/phpstan-phpunit: ^1.4.0
- phpstan/phpstan-strict-rules: ^1.6.0
- phpunit/phpunit: ^11.2.5
- rector/rector: ^1.2.0
- symfony/filesystem: ^6.2
This package is auto-updated.
Last update: 2024-11-04 19:09:21 UTC
README
This library provides tooling to check licensing of dependencies against a set of rules to ensure compliance with open source licenses and minimize legal risk. It helps you to keep track of licenses of dependencies in use and make informed decisions on their usage.
Installation
composer require --dev lendable/composer-license-checker
Usage
Create a configuration file in your project root, .allowed-licenses.php (or you can use the the option -a / --allow-file to specify the location of the configuration).
<?php declare(strict_types=1); use Lendable\ComposerLicenseChecker\LicenseConfigurationBuilder; return (new LicenseConfigurationBuilder()) ->addLicenses( 'MIT', 'BSD-2-Clause', 'BSD-3-Clause', 'Apache-2.0', // And other licenses you wish to allow. ) ->addAllowedVendor('vendor_name') // Allow any license from a specific vendor, i.e. your own company. ->addAllowedPackage('vendor_name/foo_bar') // Allow a specific package regardless of licensing. ->build();
./vendor/bin/composer-license-checker [--allow-file path/to/configuration_file.php]
It is suggested you build this into your CI pipeline to automate checking it.
Licensing information providers
This tool can use two different sources for retrieving licensing information: using the composer licenses command and parsing the installed.json file created by Composer.
Using the installed.json provider (default)
Specify --provider-id=json.
The tool will parse the installed.json file created by Composer which has all the relevant information. This does not require Composer to be installed in the environment the tool is executed within. This file is internal to Composer however, so there is the potential that the schema may change in the future. If you experience issues, try using the composer licenses provider and report the issue.
Using composer licenses provider
Specify --provider-id=licenses.
The composer licenses command provides a (potentially) more stable API for retrieving licensing information. This however requires the tool to execute composer so it must be installed in the environment the tool is run within.