Listing dependencies licenses with deno ?

[lowlighter]

It would be nice if deno had a cli command to list all dependencies licenses.

This is especially useful to automate licenses compliancy when using third-party modules.
It doesn't need to be bullet-proof but usually most licenses files can be retrieved through by appending LICENSE to module url.

I'm currently using a workaround using which use deno info to list dependencies and try to fetch licenses files (see below) but it's kind of hacky

(example)

Output:

[
  { 
    url: "https://deno.land/[email protected]/LICENSE", 
    license: "Resource Not Found" 
  },
  {
    url: "https://deno.land/x/[email protected]/LICENSE",
    license: "MIT License\n\nCopyright (c) 2014 Jonathan Ong <[email protected]>\nCopyright (c) 2015 Douglas Christo..."
  },
  {
    url: "https://deno.land/x/[email protected]/LICENSE",
    license: "MIT License\n\nCopyright (c) 2018-2021 the oak authors\n\nPermission is hereby granted, free of charge, ..."
  },
  {
    url: "https://deno.land/x/[email protected]/LICENSE",
    license: "Resource Not Found"
  },
  {
    url: "https://deno.land/x/[email protected]/LICENSE",
    license: "Copyright (c) 2019 Tilman Roeder and Contributors\n\nPermission is hereby granted, free of charge, to ..."
  }
]

Code:

//Loads deno info
const info = JSON.parse(new TextDecoder().decode(await (await Deno.run({
  cmd:["deno", "info", "--import-map", "imports.json", "--unstable", "--json", "src/app.ts"],
  stdout:"piped",
})).output()))

//Licenses extract
console.log(await Promise.all([...new Set(info.modules
  //Get specifier, transform it to url and filter out local deps
  .map(({specifier}:{specifier:string}) => new URL(specifier))
  .filter((url:URL) => url.origin !== "null")
  //Extract deps path
  .map((url:URL) => `${url.origin}${url.pathname.match(/^(?<name>[/][\s\S]+@v?\d+[.]\d+[.]\d+[/])/)?.groups?.name}LICENSE`))]
  //Try to fetch license
  .map(async url => ({url, license:await fetch(url as string).then(response => response.text()).catch(() => null)})))
)

I think it would fit well in deno info, since if you want to check dependencies, you may also want to see if you're allowed to use them or not.

[kitsonk]

How do you know that you are allowed to use code you import in a web page in a browser?

Deno is no different.

[lowlighter]

Usually you need to read the license terms when using someone's else code.
Most of minified (or not) bundles on web pages still keep a comment header with copyright notice and used license (or a link to it), so it is technically possible to know whether the person using it is legally allowed to use it or not.

Some licenses like GPL force you to keep the same license for derivative works, so you wouldn't be able to relicense your work under MIT license for example.

It does not matter that much for hobby projects, but I guess if you were making a commercial project it would be useful to be able to review easily which licenses are used by the code you didn't wrote to ensure you're not violating anyone's rights

[bartlomieju]

I believe this is outside of scope for Deno and should be solved by a third party module.

[lowlighter]

I guess it isn't as easy as with NodeJS since libraries don't have an "package.json equivalent" with a field containing the license used and it would be hard to guess since people are also able to import small code chunks from libraries.

It would have been nice to have it in the toolchain since you can already review dependencies and versions, but I understand that it may be hard to implement and maybe a third party module would indeed be a better fit inside

[kitsonk]

you can already review dependencies and versions

"versions" are simply URLs... there is no logic in Deno that holds any opinions to what a "version" is. It is up to the package registry to put semantic meaning into what a URL represents, and likely the best solution for this feature.

[bartlomieju]

Closing for now, as it is not actionable for Deno.