It would be great if tool would support HTML output.

Regards, Tomaž

Hi, is it possible to output report to the file?

Hello 🙂

Looking to get access to the markdown formatter, but the latest version yarn can resolve is 6.2.0

this was reported by snyk. As this package is quite popular it might be worth to keep the dependencies updated.

Hi Im using your plugin to generate licences in my project but when
I run command "license-report --only=prod --output=json"
Im getting following errors:

Error: invalid statusCode 404
    at Request._callback (/work/Projects/ELS/node_modules/license-report/lib/getPackageJson.js:43:29)
    at Request.self.callback (/work/Projects/ELS/node_modules/license-report/node_modules/request/request.js:185:22)
    at emitTwo (events.js:126:13)
    at Request.emit (events.js:214:7)
    at Request.<anonymous> (/work/Projects/ELS/node_modules/license-report/node_modules/request/request.js:1157:10)
    at emitOne (events.js:116:13)
    at Request.emit (events.js:211:7)
    at IncomingMessage.<anonymous> (/work/Projects/ELS/node_modules/license-report/node_modules/request/request.js:1079:12)
    at Object.onceWrapper (events.js:313:30)
    at emitNone (events.js:111:20)

Hej,
dependency "got" in version 11.8.5 has moderate severity vulnerability:

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix`
node_modules/got

1 moderate severity vulnerability

thanks! Markus :)

Greetings!

For package, https://www.npmjs.com/package/react-hook-form library throws an error if it's specified in package.json

Steps to reproduce:

Save to package.json

{
  "name": "react_hook_bug",
  "version": "1.0.0",
  "description": "test",
  "main": "index.js",
  "scripts": {
    "test": "exit 0"
  },
  "keywords": [
    "keywords"
  ],
  "author": "author",
  "license": "ISC",
  "dependencies": {
    "react-hook-form": "^7.27.0"
  }
}

license-report command with raise exception like below

/usr/local/lib/node_modules/license-report/lib/getPackageReportData.js:57
			if (author.email) { author = author + ' ' + author.email; }
			           ^

TypeError: Cannot read property 'email' of undefined
    at /usr/local/lib/node_modules/license-report/lib/getPackageReportData.js:57:15
    at /usr/local/lib/node_modules/license-report/lib/getPackageJson.js:22:3
    at Stubborn.p._onTaskExecuted (/usr/local/lib/node_modules/license-report/node_modules/stubborn/lib/Stubborn.js:71:18)
    at wrapper (/usr/local/lib/node_modules/license-report/node_modules/lodash/lodash.js:4991:19)
    at /usr/local/lib/node_modules/license-report/node_modules/lodash/lodash.js:10118:25
    at Request._callback (/usr/local/lib/node_modules/license-report/lib/getPackageJson.js:55:11)
    at Request.self.callback (/usr/local/lib/node_modules/license-report/node_modules/request/request.js:185:22)
    at Request.emit (events.js:198:13)
    at Request.<anonymous> (/usr/local/lib/node_modules/license-report/node_modules/request/request.js:1154:10)
    at Request.emit (events.js:198:13)

Version: [email protected]

Hallo.

I found that the output returns always the same versions:

These two props return the correct values:

json['dist-tags']['latest']
json['dist-tags']['next']

example:

packageEntry.version 7.2.12
localVersionSemverRange 7.2.12

version 7.2.12

latest version 14.1.0
next version 14.1.0-rc.0

but script return:

{
  name: '@angular/core',
  author: 'angular',
  licenseType: 'MIT',
  link: 'git+https://github.com/angular/angular.git',
  definedVersion: '7.2.12',
  installedVersion: '7.2.12',
  remoteVersion: '7.2.12',
  comment: '7.2.12'
}

license-report outputs all licenses from dependencies and devDependencies.

Please, add support of peerDependencies, optionalDependencies, and bundledDependencies as well.
I would like to be able to retrieve the license info for the packages from these three extra dependencies.

it will be great to use default config file.

example:

And then anyone can change it, e.g.:

{
  "fields": [
    "name",
    "licenseType",
    "author",
    "link",
    "installedVersion",
  ],
  "output": "html",
  "only": "prod,dev",
  "registry": "http://example.com"
}

currently I need to specify config file manually:

    "build:license-report": "license-report --config=.license-report-config  > ./src/dependencies.html"

By default this package will report the repository URL for dependencies.

It would be nice to also display the homepage URL if one is present.

Getting some errors when repo has private packages

http request to npm for package "@****/*****" failed, retrying again soon...
Error: invalid statusCode 404

The NPM_TOKEN env variable is set and valid

Right now, only npm and yarn lock files are supported

license-report just tells me skipping package@nightly (invalid semversion) for any version that isn't parsable as a semver.

But why does it need the version anyway?

npm accepts these "versions", so it seems like license-report should as well.

Thank you!

It seems that the last version 6.0.0 has not been published to NPM.

@BePo65 thank you. I notice that for babel author for some reason is not coming trough anymore... Have there been any change about this?

Originally posted by @gabrielmicko in #65 (comment)

It would be neat if packages were checked recursively (with dependencies of dependencies acting as if --only prod was enabled because their devDependencies are irrelevant).

Steps To Reproduce

• Run license-report --output=csv ([email protected])

The output is a CSV that almost every license is equal to n/a instead of the correct license.
Happend to me only when upgrading to v6.0.0, going back to version 5.0.2 works great 👌🏻

license-report supports multiple flags/args/params, e.g. --only, --package, --output etc.

It would be great to consolidate all such configurations in one single JSON (e.g. license-report-config.json) and apply it with --config.

Currently, part of configurations can be done in JSON and part as flags/args/params only.
I would like to have all configurations in one single place.

There's an issue where license-report --output=table --fields name --fields licenseType --fields link --fields author creates a table with the fields in the order specified in the cmdline, but --output=html reverses the order of the fields. So it looks like this:

Thank you!

Originally posted by @folknor in #51 (comment)

Hi, very nice module!
For this package I can't get the license although it is published. Could this be because the version is not semver compliant (this is what I get as message for the version).
BG

The field installedVersion of license-report takes the values from (dev-) dependencies and removes the range character, if any exist.

That is ok, if there is no range defined, because npm then installs exactly the version given.

But if there is a range character, then npm installs the greatest version that correspondents to the range.
So using the current version of license-report, it defines debug@^4.2.0 and therefore installs [email protected] (on 2021-04-25).
The installed version is documented in the package-lock.json.

So probably we better should get the installed version from package-lock.json.

is it possible to inclide the actual license text as well?

Is there any way to display the git homepage url instead of the git clone url in the report?

Right now, field=link returns git+https://github.com/axios/axios.git instead of returning the repo homepage url https://github.com/axios/axios.

Use configured labels and dump Column names as a first row in CSV output. This could be optional/parametrized behavior.

Example:

Organization,Module,Version,License,License URL,Location URL
 ,jest,23.6.0,MIT, ,git+https://github.com/facebook/jest.git
 ,license-report,2.1.3,MIT, ,git+https://github.com/ironSource/license-report.git

Hi,

thanks for your amazing work.

I saw that your license-report config serves the ability to override the npm registry.
Is there also the ability to add a cafile? Otherwise if you are behind a proxy, the custom registry is not practicable.

http request to npm for package "sharp" failed, retrying again soon...
Error: unable to get local issuer certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)
    at TLSSocket.emit (events.js:314:20)
    at TLSSocket._finishInit (_tls_wrap.js:932:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12) {
  code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
}

Best,
Stefan

I get this error when I run HTTPError: Response code 404 (Not Found)

• npm: 6.14.8
• node: v14.15.1

Description

After updating from 4.x to 5.0.1, the following crash happens when trying to generate the licenses. I also ran a clean install of all dependencies, with the same effect.

@flaming-codes ➜ /workspaces/flaming.codes/app (master ✗) $ npm run dep:gen

> [email protected] dep:gen /workspaces/flaming.codes/app
> license-report --only=prod --output=json > licenses.json

TypeError: Cannot read property 'version' of undefined
    at getInstalledVersions (/workspaces/flaming.codes/app/node_modules/license-report/lib/getInstalledVersions.js:19:75)
    at /workspaces/flaming.codes/app/node_modules/license-report/index.js:77:27
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! [email protected] dep:gen: `license-report --only=prod --output=json > licenses.json`
npm ERR! Exit status 1
npm ERR! 
npm ERR! Failed at the [email protected] dep:gen script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/codespace/.npm/_logs/2022-03-07T21_50_48_740Z-debug.log

Specifically, this code line the lib causes the error.

Solution

I think the logic in the referenced code line has a bug.

if ((packageLockDependency !== undefined) || (packageLockDependency.version !== undefined)) {
 ...
}

packageLockDependency in the second check will always be undefined, as the first check fails if it's actually defined, therefore leading to the execution of the second one.

A simple fix might be to update the logic.

if (packageLockDependency && packageLockDependency.version !== undefined) {
 ...
}

or even simpler

if (packageLockDependency?.version !== undefined) {
 ...
}

Notes

I could work on the fix (fix itself is small, but adding tests) if desired.

The output of license-report lists the most recent version number from the repository.

From my point of view the report would be even more valuable, if it would also contain the version number from the package.json.

The information is available in getPackageReportData.js, so that wouldn't be too difficult.
How about 'installedVersion' as field name?

I am trying to repurpose the "relatedTo" column to display the current version of my application. But I am getting inconsistent behavious when the output is "html" and "table".
When I try to output the result as a table by running the following command

license-report --output=table --package=package.json --relatedTo.label="Version" --relatedTo.value=1.0.3

I get the expected result as shown in the image

But the story is not the same try to output as html.
Using the following command

license-report --output=html --package=package.json --relatedTo.label="Version" --relatedTo.value=1.0.3 > dependencies.html

The column label dosent get updated as shown in the image below

Which one of this is the expected behaviour ?

PS: In your README.md, there is a section on "customize a default value (only applicable for some fields)". Could you also list out which are those applicable fields.

if I use --registry=my.registryserver.com/some/path, then I have an error because the result link for bootstrap will be so:
my.registryserver.com/some/pathbootstrap

but should be my.registryserver.com/some/path/bootstrap

it will be better to add an additional check for the last slash, and if not exists, then add it manually.

currently when outputting to csv some values might break csv because they have the delimiter character in them

Just running licence-report in the project folder

/usr/local/lib/node_modules/license-report/lib/extractLink.js:14
                if (value.substr(0, 'http'.length) === 'http') {
                          ^

TypeError: value.substr is not a function
    at /usr/local/lib/node_modules/license-report/lib/extractLink.js:14:13
    at module.exports (/usr/local/lib/node_modules/license-report/node_modules/visit-values/index.js:20:3)
    at module.exports (/usr/local/lib/node_modules/license-report/node_modules/visit-values/index.js:16:4)
    at module.exports (/usr/local/lib/node_modules/license-report/lib/extractLink.js:13:2)
    at /usr/local/lib/node_modules/license-report/lib/getPackageReportData.js:66:11
    at /usr/local/lib/node_modules/license-report/lib/getPackageJson.js:23:3
    at Stubborn.p._onTaskExecuted (/usr/local/lib/node_modules/license-report/node_modules/stubborn/lib/Stubborn.js:71:18)
    at wrapper (/usr/local/lib/node_modules/license-report/node_modules/lodash/lodash.js:4935:19)
    at /usr/local/lib/node_modules/license-report/node_modules/lodash/lodash.js:10052:25
    at Request._callback (/usr/local/lib/node_modules/license-report/lib/getPackageJson.js:56:11)

I am trying to leverage this tool to generate the license lists for all the packages in a monorepo and have run into a few issues:

1. if I run from the root of the repo, then I only see the dependencies in the root package.json - that's kind of expected
2. if I run from the package's folder, then the license is missing for any hoisted dependency

I think monorepo support could be added easily by either:

1. --monorepo option: the tool would scan the sub-directories for package.json files and resolve the locally installed package to either the value in it's nearest node_modules folder UP TO the root directory
2. --add-node-modules X option: the tool would scan these additional locations for module metadata

After a command inside repo with zero dependencies you get a text "nothing to do" despite the type into the command such as "license-report --output=json" or any other. The type should be predictable and based onto type in command

Right now report doesn't work for github dependencies, or local file system dependencies.

Are there any good reasons why package.json file need to be retrieved from npm registry, but not from the local node_modules folder?

Using async/await the code would get much easier to read and thus to maintain.

I'll place a PR as basis for discussion.

Today you can find out about the available fields only by looking into the source code.

Wouldn't it be easier, if the README.md listed all the field names?
Additionally this would be a fine place to describe that the fields 'department', 'relatedTo', 'licensePeriod' and 'material' must be set by the command line and that the field 'comment' contains the most recent version number for this package in the repository.

Hello all,

NO PROBLEM WITH NODE, SEE UPDATE BELOW

I have recently installed Node version 14.19.2 in my WSL. Since upgrading to this version, I can no longer create a licence report because the command returns a 404 Not Found Error.

In another WSL instance with Node version 14.18.2, the creation of the report works perfectly. I have attached 2 screenshots with debug logging.

Can you please take a look at the problem? Downgrading my WSL instance to a version <14.19 is unfortunately not an option.

Many thanks and kind regards
Johannes

Output on Node 14.19.2:

Output on Node 14.18.2:

UPDATE

Issue has nothing to do with Node.

I found the problem. I have a local dependency in my package.json file:
... "local-dep": "file:ext/local-dep-2.13.6.tgz", ...

When I remove this dependency the generation of the license report works perfectly.

I also tried it with a colleague in his WSL, who was still using an older version of licence-report. The generation worked perfectly for him.

The output of the generated license-report with the local dependency was like this - which was OK for us:
local-dep,n/a,n/a,n/a

After updating to the current version of license-report, he also got the "404 Not Found" error.

The problem has nothing to do with the Node version. The problem seems to be that license-report in the new version can no longer handle local dependencies. Unfortunately, I had installed different versions of license-report on my WSL instances and therefore immediately suspected that it was due to the Node version.

It would be useful if Markdown was added to the available outputs.
The default table is already great, but if it were possible to have a Markdown table then the results could be rendered nicely without any post processing.

it will be great to have an additional output-path property for exporting data directly into this file and not use manualy pipes in the console outputs to concatenate results.

example:

And then anyone can change it, e.g.:

{
  "fields": [
     ...
  ],
  "output": "html",
  "outputPath": "./src/dependencies.html"
}

currently, I need to specify the config file manually:

    "build:license-report": "license-report --config=.license-report-config  > ./src/dependencies.html"

but with this config I will just call

    "build:license-report": "license-report --config=.license-report-config"

and license-report should create a file

Hello! license-report throws an exception when trying to read package @reactivex/rxjs@^5.0.0-rc.1

I did output with linux command > but it wont work on windows. Is it possible to configure this tool to output into file by default?

Hi,

Thank you for this tool!

When running it on some projects, I have this error:

<my-project>/node_modules/license-report/lib/getPackageReportData.js:57
                        if (author.email) { author = author + ' ' + author.email; }
                                   ^

TypeError: Cannot read property 'email' of undefined
    at <my-project>/node_modules/license-report/lib/getPackageReportData.js:57:15
    at <my-project>/node_modules/license-report/lib/getPackageJson.js:22:3
    at Stubborn.p._onTaskExecuted (<my-project>/node_modules/stubborn/lib/Stubborn.js:71:18)
    at wrapper (<my-project>/node_modules/lodash/lodash.js:4949:19)
    at <my-project>/node_modules/lodash/lodash.js:10076:25
    at Request._callback (<my-project>/node_modules/license-report/lib/getPackageJson.js:55:11)
    at Request.self.callback (<my-project>/node_modules/request/request.js:185:22)
    at Request.emit (events.js:314:20)
    at Request.<anonymous> (<my-project>/node_modules/request/request.js:1154:10)
    at Request.emit (events.js:314:20)

It appears that some projects have an author field like this in their package.json:

"author": "<some-email>",

(e.g. react-hook-form: https://github.com/react-hook-form/react-hook-form/blob/v7.0.4/package.json#L64)

which translates likes this in the registry:

{ "email": "some-email" }

The failing line has been introduced by #29

https://github.com/ironSource/license-report/blob/a48a7e78dfc63144f3e9d951594a21fd1f6ec480/lib/getPackageReportData.js#L54-L59

So in case the dependency specifies only an email, but no name, this creates the exception.

However, this also shows that even in case the author object does have a name field, the next 2 lines will be useless as we modify the author variable to be now the name string, i.e. it is no longer the author object.

We can indeed see in the report (when it works) that there is never an email nor a URL appended to the author name.