A small script to check packages installed through npm against a whitelist of licenses and packages

license-checker.js

'use strict';

const _       = require('lodash');
const winston = require('winston');
const checker = require('license-checker');
const chalk   = require('chalk');

const licensesWeAreOKWith = `
  MIT,
  MIT*,
  MIT/X11,
  (MIT AND JSON),
  (MIT AND CC-BY-3.0),
  MIT / http://rem.mit-license.org,
  BSD,
  BSD*,
  BSD-like,
  BSD-2-Clause,
  BSD-3-Clause,
  BSD-3-Clause AND MIT,
  BSD-3-Clause OR MIT,
  BSD-3-Clause AND MIT Apache 2.0,
  BSD-4-Clause,
  (BSD-2-Clause OR MIT OR Apache-2.0),
  (BSD-2-Clause OR WTFPL),
  ISC,
  ISC*,
  Apache*,
  Apache 2,
  Apache2,
  Apache-2.0,
  Apache 2.0,
  Apache License,
  Apache License version 2.0,
  Apache License, Version 2.0,
  WTFPL,
  CC-BY-3.0,
  CC-BY-4.0,
  Public Domain,
  Public domain,
`;

const packagesWeAreOKWith = [
  'babel-runtime'
];

checker.init({
  start: './',
  exclude: licensesWeAreOKWith,
  color: true
}, (err, json) => {
  if (err) {
    winston.info('There was an error', err);

    return process.exit(1);
  }

  winston.info('Packages that were not filtered on 1st go:');

  _.forEach(json, (pkgData, pkgName) => {
    winston.info(`${pkgName}: ${pkgData.licenses}`);
  });

  winston.info('-----------\nlooking for packages we approve...');

  const packagesArray = Object.keys(json);

  _.forEach(packagesArray, (packageNameWithVersion) => {
    const packageName = packageNameWithVersion.split('@')[0];

    // We must strip the color with chalk for this to work
    if (_.includes(packagesWeAreOKWith, chalk.stripColor(packageName))) {
      winston.info(`I know This package ==> '${packageName}' continuing...`);
    }
    else {
      // fail build
      winston.info(`FAILED: Unknown package ===> '${packageNameWithVersion}' exiting...`);
      winston.info(`LICENSE that failed ==> '${json[packageNameWithVersion].licenses}'`);
      process.exit(1);
    }
  });

  winston.info('All good!');
});