Big News: Socket raises $60M Series C at a $1B valuation to secure software supply chains for AI-driven development.Announcement
Sign In

No License Found

Severity

Low

Short Description

License information could not be found.

Suggestion

Manually review the licensing

Information

Unlike packages that are explicitly designated as "unlicensed", these are packages where there is zero licensing information found. While this can mean that the package is not made available under license (in which case these packages carry the same risks as explicitly unlicensed packages) it can also mean that package authors failed to ensure license information was properly conveyed to would-be licensees, or made a mistake in doing so. For example, the contents of a project's source code repository may not always be a 100% match for the contents of a package as it appears on a package registry (for example, a project's GitHub repository may specify a license, but the contents of the package as it is released on the relevant package registry do not).

This absence of a license can entail legal uncertainty, as users may not have the right to use, modify, or distribute the software.

Without an explicit license, the package may be subject to copyright restrictions, and developers who use it could face potential legal risks.

This is classified as a low-severity alert. While in the worst case this alert could indicate legal or compliance issues for an organization, in practice it may also be the result of maintainer error or insufficiently careful release processes; project authors may have attempted somewhere to communicate license information, but failed to do so properly.

Here are some scenarios where it could be particularly problematic:

  • Commercial Projects: Using an unlicensed package in a commercial product could expose your company to lawsuits or demands for license fees.
  • Open Source Projects: Including unlicensed code in your open-source project could violate licensing guidelines and jeopardize your project's legal standing.
  • Compliance Issues: Organizations that need to comply with strict software licensing policies may face significant challenges if they unknowingly use unlicensed code.

In all these scenarios, the absence of a license can lead to unexpected liabilities, making it crucial to either obtain proper licensing or avoid using such packages altogether.

Recommended actions

It's essential to verify the licensing status of such packages and, if necessary, seek alternatives with clear and permissive licensing to avoid potential issues.

Examples

Here's an example of how this alert appears on a package. It often comes in conjunction with other supply chain risks, as no license is a significant oversight for a package published to a public registry.

Detection Method

Packages with no license found are those where Socket cannot detect cannot detect any license information in the package files, including common license files or references in the metadata, making it unclear if the software is legally safe to use.

Additional resources

  1. Open Source Initiative - Licensing FAQ
    • This FAQ provides an overview of open-source licensing, the importance of proper licenses, and the legal risks of using unlicensed software.
  2. Software Freedom Law Center - Legal Issues in Open Source
    • A comprehensive guide on the legal issues surrounding open-source software, including the risks of using unlicensed code.
  3. Choose a License - No License
    • This page explains the implications of using software without a license and the legal uncertainties it introduces.
  4. GitHub Docs - Open Source Licensing
    • A guide on how to choose a license for your GitHub repository and why it's critical to have one.