lendable / composer-license-checker
Composer license checker
Installs: 111 514
Dependents: 5
Suggesters: 0
Security: 0
Stars: 12
Watchers: 40
Forks: 1
Open Issues: 5
Type:project
Requires
- php: ~8.2.0 || ~8.3.0 || ~8.4.0
- composer-runtime-api: ^2.2
- symfony/console: ^5.4 || ^6.0 || ^7.0
- symfony/process: ^5.4.46 || ^6.4.14 || ^7.1.7
Requires (Dev)
- ergebnis/composer-normalize: ^2.43.0
- lendable/phpunit-extensions: ^0.3
- php-cs-fixer/shim: ^3.61.1
- phpstan/phpstan: ^1.11.9
- phpstan/phpstan-deprecation-rules: ^1.2.0
- phpstan/phpstan-phpunit: ^1.4.0
- phpstan/phpstan-strict-rules: ^1.6.0
- phpunit/phpunit: ^11.3.0
- rector/rector: ^1.2.2
- symfony/filesystem: ^6.2
README
This library provides tooling to check licensing of dependencies against a set of rules to ensure compliance with open source licenses and minimize legal risk. It helps you to keep track of licenses of dependencies in use and make informed decisions on their usage.
Installation
composer require --dev lendable/composer-license-checker
Usage
Create a configuration file in your project root, .allowed-licenses.php
(or you can use the option -a / --allow-file
to specify the location of the configuration).
<?php declare(strict_types=1); use Lendable\ComposerLicenseChecker\LicenseConfigurationBuilder; return (new LicenseConfigurationBuilder()) ->addLicenses( 'MIT', 'BSD-2-Clause', 'BSD-3-Clause', 'Apache-2.0', // And other licenses you wish to allow. ) ->addAllowedVendor('vendor_name') // Allow any license from a specific vendor, i.e. your own company. ->addAllowedPackage('vendor_name/foo_bar') // Allow a specific package regardless of licensing. ->build();
./vendor/bin/composer-license-checker [--allow-file path/to/configuration_file.php]
It is suggested you build this into your CI pipeline to automate checking it.
Licensing information providers
This tool can use two different sources for retrieving licensing information: using the composer licenses
command and parsing the installed.json
file created by Composer.
Using the installed.json
provider (default)
Specify --provider-id=json
.
The tool will parse the installed.json
file created by Composer which has all the relevant information. This does not require Composer to be installed in the environment the tool is executed within. This file is internal to Composer however, so there is the potential that the schema may change in the future. If you experience issues, try using the composer licenses
provider and report the issue.
Using composer licenses
provider
Specify --provider-id=licenses
.
The composer licenses
command provides a (potentially) more stable API for retrieving licensing information. This however requires the tool to execute composer
so it must be installed in the environment the tool is run within.