Open-Source License Compliance Checker
Can you legally ship this dependency tree?
Whether a dependency is legal to ship depends on what you are shipping: a GPL package is a blocker in a closed-source desktop app, a caution in a SaaS backend, and perfectly fine in internal tooling. Pick your shipping context on the policy dial, paste any manifest or lockfile, and every package's license is resolved live from its registry, parsed as an SPDX expression (including MIT OR GPL-3.0 dual licenses), and graded into a ship/no-ship docket — with the obligations checklist and a generated THIRD-PARTY-NOTICES file to make the verdict actionable. Parsing happens entirely in your browser; only package names and versions are queried.
License families per OSI/FSF definitions · SPDX expression grammar (ISO/IEC 5962:2021) · process aligned with OpenChain ISO/IEC 5230:2020
Compliance check console
What ignoring a license actually costs
powered the 2007–2010 SFLC lawsuits (Westinghouse, Best Buy, Samsung and 11 more) — the first US copyleft cases, all ending in settlements, injunctions and source releases.
became Artifex v. Hancom (2017): the court held the GPL is an enforceable contract, and the word-processor maker settled rather than open its source.
argues every TV buyer is a third-party beneficiary entitled to the GPL'd source in their firmware — license compliance now reaches consumer hardware.
Elastic → SSPL (2021), HashiCorp → BUSL (2023), Redis → SSPL (2024). Each spawned a fork (OpenSearch, OpenTofu, Valkey) — and stranded every team that never tracked what licenses they actually shipped.
MIT vs Apache-2.0 vs MPL vs LGPL vs GPL vs AGPL vs SSPL
The seven licenses that decide most compliance calls, compared on the questions that actually matter.
| License | Family | Closed-source dist? | SaaS use? | Must share changes? | Patent grant? | Attribution? |
|---|---|---|---|---|---|---|
| MIT | Permissive | Yes | Yes | No | No (implied at best) | Yes |
| Apache-2.0 | Permissive | Yes | Yes | No | Yes, express grant | Yes + NOTICE |
| MPL-2.0 | Weak copyleft | Yes (files intact) | Yes | Modified MPL files only | Yes | Yes |
| LGPL-3.0 | Weak copyleft | Yes (dynamic link) | Yes | Changes to the library only | Yes | Yes |
| GPL-3.0 | Strong copyleft | No | Yes (no conveyance) | Entire combined work on distribution | Yes | Yes |
| AGPL-3.0 | Network copyleft | No | No — §13 triggers | Entire work, even over a network | Yes | Yes |
| SSPL-1.0 | Source-available | No | No — full stack must go public | Your whole service stack | — | Yes |
License quick reference — 14 you will actually meet
| SPDX id | Family | OSI | Commercial use | Closed-source dist | Copyleft scope |
|---|---|---|---|---|---|
| MIT | Permissive | Yes | Yes | Yes | None — notice only |
| ISC | Permissive | Yes | Yes | Yes | None — notice only |
| BSD-3-Clause | Permissive | Yes | Yes | Yes | None — notice + no endorsement |
| Apache-2.0 | Permissive | Yes | Yes | Yes | None — notice, NOTICE file, mark changes |
| Unlicense | Public domain | Yes | Yes | Yes | None |
| MPL-2.0 | Weak copyleft | Yes | Yes | Yes* | File-level — modified MPL files |
| LGPL-2.1 | Weak copyleft | Yes | Yes | Yes* | Library-level — keep relinkable |
| EPL-2.0 | Weak copyleft | Yes | Yes | Yes* | Module-level |
| GPL-2.0 | Strong copyleft | Yes | Yes | No | Whole work on distribution |
| GPL-3.0 | Strong copyleft | Yes | Yes | No | Whole work on distribution |
| AGPL-3.0 | Network copyleft | Yes | Yes | No | Whole work, incl. network use |
| SSPL-1.0 | Restricted / source-available | No | Restricted | No | Entire service stack if offered as a service |
| BUSL-1.1 | Restricted / source-available | No | Restricted | No | Production use limited until change date |
| CC-BY-NC-4.0 | Restricted / source-available | No | No | No | Non-commercial only |
* Yes with conditions — keep covered files/libraries separable and publish modifications to them. Scanning your tree against the vulnerability scanner next answers the security half of the same ship/no-ship call.
The rules behind the stamp
Compliance score
score = 100 − 28 × blockers − 8 × conditionsWorked: 1 GPL-3.0 blocker + 3 conditions in a closed-source context → 100 − 28 − 24 = 48 → “Legal review” band. Floored at 0; any blocker forces the DO NOT SHIP stamp regardless of score.
- 92+CLEARED TO SHIP
- 70+CONDITIONS APPLY
- 45+LEGAL REVIEW
- 0+DO NOT SHIP
How each package is graded
- 1. Resolve the license from the registry (or the lockfile itself for Composer) at your pinned version.
- 2. Parse the SPDX expression —
ORelects the most permissive option (dual licensing),ANDgrades by the strictest,WITHrecords the exception. ~40 non-SPDX spellings are normalized. - 3. Map the license to one of seven families — public domain → permissive → weak copyleft → strong copyleft → network copyleft → restricted → unknown.
- 4. Look up family × shipping-context in the verdict matrix (35 rules) — the same package legitimately gets different verdicts in different contexts.
- 5. Apply your policy deny list (Auditor mode), which overrides anything to a blocker.
How to run a license compliance check in 5 steps
Tell the checker what you are shipping
Pick one of the five shipping contexts on the policy dial — closed-source product, SaaS, open-source under MIT/Apache, open-source under GPL, or internal tooling. The same dependency tree gets different legal verdicts in each.
Paste or drop your manifest
Paste package.json, package-lock.json, yarn.lock, requirements.txt, composer.lock, Gemfile.lock or Cargo.lock — or upload the file. Format and ecosystem are auto-detected and parsed entirely in your browser.
Run the compliance check
Each package's license is resolved live from its registry (npm, PyPI, RubyGems, crates.io — composer.lock already embeds licenses), SPDX expressions like “MIT OR GPL-3.0” are evaluated, and every dependency is graded against the verdict matrix for your context.
Read the seal, then work the docket
The verdict seal gives the ship/no-ship call with a 0–100 compliance score. The docket lists every package worst-first: blockers (license conflicts), conditions (obligations to satisfy) and unknowns (licenses a human must verify).
Complete the obligations and export your evidence
Tick through the obligations checklist, generate the THIRD-PARTY-NOTICES file for your release, and export the JSON report as audit evidence. Re-run after any dependency change.
Why license compliance became a release gate
In 2026, a developer shipping a closed-source Electron app pulls in eight hundred npm packages and signs a distribution agreement that warrants none of them is copyleft. One transitive AGPL dependency makes that warranty false — and unlike a bug, it cannot be patched after the fact, because the obligation attached the moment the build shipped. This page exists for the fifteen minutes before that signature: paste the lockfile, pick what you are shipping, read the stamp.
The legal machinery behind that stamp is older than most of the packages it grades. Richard Stallman published the GNU General Public License in 1989, inventing copyleft — copyright law inverted to keep software free by making freedom a condition of redistribution. The permissive counter-tradition came from the universities: MIT's X11 license (1987) and Berkeley's BSD licenses asked only for credit. When Eric Raymond and Bruce Perens founded the Open Source Initiative in 1998, its Open Source Definition became the line every license on this page is measured against — and the reason the OSI's rejection of the SSPL in 2021 mattered commercially.
The enforcement era began in earnest with the BusyBox suits (2007–2010), in which the Software Freedom Law Center sued fourteen companies — Westinghouse, Best Buy and Samsung among them — for shipping GPL'd code in firmware without source. Every case ended in settlement, source release, or default judgment. Artifex v. Hancom (N.D. Cal. 2017) established that the GPL operates as an enforceable contract, not just a copyright condition; SFC v. Vizio (2021, ongoing) is testing whether ordinary consumers can demand the source themselves as third-party beneficiaries. License compliance stopped being theoretical a decade and a half ago.
The modern twist is relicensing. Elastic moved Elasticsearch to the SSPL in January 2021; HashiCorp moved Terraform to the BUSL in August 2023; Redis followed in March 2024. Each move stranded teams who had pinned a version under one license and upgraded into another — and each spawned a community fork (OpenSearch, OpenTofu, Valkey) precisely so the open version could survive. The practical lesson this tool encodes: a license is an attribute of a version, not a project, which is why every check here resolves the license at your pinned version rather than the project's homepage badge.
Standards caught up to practice. SPDX — the Linux Foundation's license-identification format, standardized as ISO/IEC 5962:2021 — gave every license a canonical id and an expression grammar for the messy real world of dual licensing (MIT OR GPL-3.0) and exceptions (GPL-2.0 WITH Classpath-exception-2.0). OpenChain (ISO/IEC 5230:2020) standardized the compliance program itself, and procurement departments now ask for conformance the way they ask for SOC 2. US Executive Order 14028's SBOM mandate and the EU Cyber Resilience Act push the same direction: know what you ship, including its legal terms.
What none of the standards changed is the economics of attention. License review used to be a lawyer reading a spreadsheet the week before launch; in a lockfile world the spreadsheet is eight hundred rows and regenerates nightly. The only review that scales is the one that runs in seconds at the developer's desk, grades against the shipping context honestly — permissive trees pass, copyleft conflicts surface, unknowns get named — and hands over an attribution file instead of a homework assignment. That is the job this page does, and the vulnerability scanner answers the security half of the same pre-ship question.
Trusted by OSPOs, Due-Diligence & Release Teams
“We run every acquisition target's lockfiles through this before the data room even opens. The context dial is the feature — the same tree graded for closed-source distribution versus SaaS is exactly how counsel thinks, and no free tool did that until now.”
“Found an AGPL transitive in a client's 'all-MIT' Electron app two days before signing. The docket's worst-first ordering and the generated NOTICES file went straight into the disclosure schedule. This paid for my year, and it's free.”
“I ship a closed-source Electron app and live in fear of copyleft sneaking in through npm. Paste package-lock, pick 'Closed-source product', and I get a stamp that says CLEARED TO SHIP plus the attribution file ready to bundle. The dual-license handling (MIT OR GPL) is correct, which surprised me.”
“The SaaS context correctly passes GPL but flags AGPL and SSPL — most scanners treat all copyleft the same and cry wolf. Wired the JSON export into our release checklist. Wish list: SBOM (SPDX document) import, which I'm told is coming.”
Love using our calculator?
Related tools
Similar Calculators
More tools in the same category
NPM Package Dependency Tree
Visualize npm package dependencies and identify potential issues
Package Vulnerability Scanner
Scan packages for known security vulnerabilities and outdated versions
Python Requirements Analyzer
Analyze Python package dependencies and compatibility issues
Circular Dependency Detector
Detect circular dependencies in codebases across multiple languages
Difference Checker
Compare text, PDFs, images, and code to highlight differences side-by-side
Bundle Size Analyzer
Analyze JavaScript bundle sizes
Often Used Together
Complementary tools for complete analysis
Related Articles
Dive deeper with our expert guides and tutorials related to Open-Source License Compliance Checker
Graded against OSI Open Source Definition, SPDX (ISO/IEC 5962:2021) and OpenChain (ISO/IEC 5230:2020) · Informational tool, not legal advice · Last reviewed: 2026-06