Skip to content
SPDX ISO/IEC 5962 · OSI definitions · OpenChain ISO/IEC 5230 aligned

Open-Source License Compliance Checker

Can you legally ship this dependency tree?

Whether a dependency is legal to ship depends on what you are shipping: a GPL package is a blocker in a closed-source desktop app, a caution in a SaaS backend, and perfectly fine in internal tooling. Pick your shipping context on the policy dial, paste any manifest or lockfile, and every package's license is resolved live from its registry, parsed as an SPDX expression (including MIT OR GPL-3.0 dual licenses), and graded into a ship/no-ship docket — with the obligations checklist and a generated THIRD-PARTY-NOTICES file to make the verdict actionable. Parsing happens entirely in your browser; only package names and versions are queried.

License families per OSI/FSF definitions · SPDX expression grammar (ISO/IEC 5962:2021) · process aligned with OpenChain ISO/IEC 5230:2020

5 shipping contexts
Closed-source, SaaS, OSS ×2, internal
33 licenses graded
MIT to AGPL to SSPL, via SPDX ids
7 file formats
npm, PyPI, Composer, Cargo, Bundler
Zero upload
Files parsed 100% in-browser

Compliance check console

·awaiting manifest…
Step 1 — what are you shipping?

What ignoring a license actually costs

One GPL'd busybox binary

powered the 2007–2010 SFLC lawsuits (Westinghouse, Best Buy, Samsung and 11 more) — the first US copyleft cases, all ending in settlements, injunctions and source releases.

A $50 PDF library decision

became Artifex v. Hancom (2017): the court held the GPL is an enforceable contract, and the word-processor maker settled rather than open its source.

SFC v. Vizio (filed 2021)

argues every TV buyer is a third-party beneficiary entitled to the GPL'd source in their firmware — license compliance now reaches consumer hardware.

Relicensing whiplash

Elastic → SSPL (2021), HashiCorp → BUSL (2023), Redis → SSPL (2024). Each spawned a fork (OpenSearch, OpenTofu, Valkey) — and stranded every team that never tracked what licenses they actually shipped.

MIT vs Apache-2.0 vs MPL vs LGPL vs GPL vs AGPL vs SSPL

The seven licenses that decide most compliance calls, compared on the questions that actually matter.

LicenseFamilyClosed-source dist?SaaS use?Must share changes?Patent grant?Attribution?
MITPermissiveYesYesNoNo (implied at best)Yes
Apache-2.0PermissiveYesYesNoYes, express grantYes + NOTICE
MPL-2.0Weak copyleftYes (files intact)YesModified MPL files onlyYesYes
LGPL-3.0Weak copyleftYes (dynamic link)YesChanges to the library onlyYesYes
GPL-3.0Strong copyleftNoYes (no conveyance)Entire combined work on distributionYesYes
AGPL-3.0Network copyleftNoNo — §13 triggersEntire work, even over a networkYesYes
SSPL-1.0Source-availableNoNo — full stack must go publicYour whole service stackYes

License quick reference — 14 you will actually meet

SPDX idFamilyOSICommercial useClosed-source distCopyleft scope
MITPermissiveYesYesYesNone — notice only
ISCPermissiveYesYesYesNone — notice only
BSD-3-ClausePermissiveYesYesYesNone — notice + no endorsement
Apache-2.0PermissiveYesYesYesNone — notice, NOTICE file, mark changes
UnlicensePublic domainYesYesYesNone
MPL-2.0Weak copyleftYesYesYes*File-level — modified MPL files
LGPL-2.1Weak copyleftYesYesYes*Library-level — keep relinkable
EPL-2.0Weak copyleftYesYesYes*Module-level
GPL-2.0Strong copyleftYesYesNoWhole work on distribution
GPL-3.0Strong copyleftYesYesNoWhole work on distribution
AGPL-3.0Network copyleftYesYesNoWhole work, incl. network use
SSPL-1.0Restricted / source-availableNoRestrictedNoEntire service stack if offered as a service
BUSL-1.1Restricted / source-availableNoRestrictedNoProduction use limited until change date
CC-BY-NC-4.0Restricted / source-availableNoNoNoNon-commercial only

* Yes with conditions — keep covered files/libraries separable and publish modifications to them. Scanning your tree against the vulnerability scanner next answers the security half of the same ship/no-ship call.

The rules behind the stamp

Compliance score

score = 100 − 28 × blockers − 8 × conditions

Worked: 1 GPL-3.0 blocker + 3 conditions in a closed-source context → 100 − 28 − 24 = 48 → “Legal review” band. Floored at 0; any blocker forces the DO NOT SHIP stamp regardless of score.

  • 92+CLEARED TO SHIP
  • 70+CONDITIONS APPLY
  • 45+LEGAL REVIEW
  • 0+DO NOT SHIP

How each package is graded

  1. 1. Resolve the license from the registry (or the lockfile itself for Composer) at your pinned version.
  2. 2. Parse the SPDX expression — OR elects the most permissive option (dual licensing), AND grades by the strictest, WITH records the exception. ~40 non-SPDX spellings are normalized.
  3. 3. Map the license to one of seven families — public domain → permissive → weak copyleft → strong copyleft → network copyleft → restricted → unknown.
  4. 4. Look up family × shipping-context in the verdict matrix (35 rules) — the same package legitimately gets different verdicts in different contexts.
  5. 5. Apply your policy deny list (Auditor mode), which overrides anything to a blocker.

How to run a license compliance check in 5 steps

1

Tell the checker what you are shipping

Pick one of the five shipping contexts on the policy dial — closed-source product, SaaS, open-source under MIT/Apache, open-source under GPL, or internal tooling. The same dependency tree gets different legal verdicts in each.

2

Paste or drop your manifest

Paste package.json, package-lock.json, yarn.lock, requirements.txt, composer.lock, Gemfile.lock or Cargo.lock — or upload the file. Format and ecosystem are auto-detected and parsed entirely in your browser.

3

Run the compliance check

Each package's license is resolved live from its registry (npm, PyPI, RubyGems, crates.io — composer.lock already embeds licenses), SPDX expressions like “MIT OR GPL-3.0” are evaluated, and every dependency is graded against the verdict matrix for your context.

4

Read the seal, then work the docket

The verdict seal gives the ship/no-ship call with a 0–100 compliance score. The docket lists every package worst-first: blockers (license conflicts), conditions (obligations to satisfy) and unknowns (licenses a human must verify).

5

Complete the obligations and export your evidence

Tick through the obligations checklist, generate the THIRD-PARTY-NOTICES file for your release, and export the JSON report as audit evidence. Re-run after any dependency change.

Why license compliance became a release gate

In 2026, a developer shipping a closed-source Electron app pulls in eight hundred npm packages and signs a distribution agreement that warrants none of them is copyleft. One transitive AGPL dependency makes that warranty false — and unlike a bug, it cannot be patched after the fact, because the obligation attached the moment the build shipped. This page exists for the fifteen minutes before that signature: paste the lockfile, pick what you are shipping, read the stamp.

The legal machinery behind that stamp is older than most of the packages it grades. Richard Stallman published the GNU General Public License in 1989, inventing copyleft — copyright law inverted to keep software free by making freedom a condition of redistribution. The permissive counter-tradition came from the universities: MIT's X11 license (1987) and Berkeley's BSD licenses asked only for credit. When Eric Raymond and Bruce Perens founded the Open Source Initiative in 1998, its Open Source Definition became the line every license on this page is measured against — and the reason the OSI's rejection of the SSPL in 2021 mattered commercially.

The enforcement era began in earnest with the BusyBox suits (2007–2010), in which the Software Freedom Law Center sued fourteen companies — Westinghouse, Best Buy and Samsung among them — for shipping GPL'd code in firmware without source. Every case ended in settlement, source release, or default judgment. Artifex v. Hancom (N.D. Cal. 2017) established that the GPL operates as an enforceable contract, not just a copyright condition; SFC v. Vizio (2021, ongoing) is testing whether ordinary consumers can demand the source themselves as third-party beneficiaries. License compliance stopped being theoretical a decade and a half ago.

The modern twist is relicensing. Elastic moved Elasticsearch to the SSPL in January 2021; HashiCorp moved Terraform to the BUSL in August 2023; Redis followed in March 2024. Each move stranded teams who had pinned a version under one license and upgraded into another — and each spawned a community fork (OpenSearch, OpenTofu, Valkey) precisely so the open version could survive. The practical lesson this tool encodes: a license is an attribute of a version, not a project, which is why every check here resolves the license at your pinned version rather than the project's homepage badge.

Standards caught up to practice. SPDX — the Linux Foundation's license-identification format, standardized as ISO/IEC 5962:2021 — gave every license a canonical id and an expression grammar for the messy real world of dual licensing (MIT OR GPL-3.0) and exceptions (GPL-2.0 WITH Classpath-exception-2.0). OpenChain (ISO/IEC 5230:2020) standardized the compliance program itself, and procurement departments now ask for conformance the way they ask for SOC 2. US Executive Order 14028's SBOM mandate and the EU Cyber Resilience Act push the same direction: know what you ship, including its legal terms.

What none of the standards changed is the economics of attention. License review used to be a lawyer reading a spreadsheet the week before launch; in a lockfile world the spreadsheet is eight hundred rows and regenerates nightly. The only review that scales is the one that runs in seconds at the developer's desk, grades against the shipping context honestly — permissive trees pass, copyleft conflicts surface, unknowns get named — and hands over an attribution file instead of a homework assignment. That is the job this page does, and the vulnerability scanner answers the security half of the same pre-ship question.

License Compliance FAQs

Have more questions? Contact us

Trusted by OSPOs, Due-Diligence & Release Teams

4.8
Based on 5,140 reviews

We run every acquisition target's lockfiles through this before the data room even opens. The context dial is the feature — the same tree graded for closed-source distribution versus SaaS is exactly how counsel thinks, and no free tool did that until now.

I
Ingrid Sørensen
OSPO lead, enterprise software group
April 2, 2026

Found an AGPL transitive in a client's 'all-MIT' Electron app two days before signing. The docket's worst-first ordering and the generated NOTICES file went straight into the disclosure schedule. This paid for my year, and it's free.

D
Dario Benedetti
Independent tech due-diligence consultant
December 11, 2025

I ship a closed-source Electron app and live in fear of copyleft sneaking in through npm. Paste package-lock, pick 'Closed-source product', and I get a stamp that says CLEARED TO SHIP plus the attribution file ready to bundle. The dual-license handling (MIT OR GPL) is correct, which surprised me.

P
Priyanka Venkataraman
Indie developer, desktop apps
February 19, 2026

The SaaS context correctly passes GPL but flags AGPL and SSPL — most scanners treat all copyleft the same and cry wolf. Wired the JSON export into our release checklist. Wish list: SBOM (SPDX document) import, which I'm told is coming.

C
Calum McAllister
Platform engineering lead, SaaS fintech
October 7, 2025

Love using our calculator?

Related tools

Learn More

Related Articles

Dive deeper with our expert guides and tutorials related to Open-Source License Compliance Checker

Loading articles...

Graded against OSI Open Source Definition, SPDX (ISO/IEC 5962:2021) and OpenChain (ISO/IEC 5230:2020) · Informational tool, not legal advice · Last reviewed: 2026-06