This library provides tooling to check licensing of dependencies against a set of rules to ensure compliance with open source licenses and minimize legal risk. It helps you to keep track of licenses of dependencies in use and make informed decisions on their usage.
composer require --dev lendable/composer-license-checker
Create a configuration file in your project root, .allowed-licenses.php
(or you can use the the option -a / --allow-file
to specify the location of the configuration).
<?php
declare(strict_types=1);
use Lendable\ComposerLicenseChecker\LicenseConfigurationBuilder;
return (new LicenseConfigurationBuilder())
->addLicenses(
'MIT',
'BSD-2-Clause',
'BSD-3-Clause',
'Apache-2.0',
// And other licenses you wish to allow.
)
->addAllowedVendor('vendor_name') // Allow any license from a specific vendor, i.e. your own company.
->addAllowedPackage('vendor_name/foo_bar') // Allow a specific package regardless of licensing.
->build();
./vendor/bin/composer-license-checker [--allow-file path/to/configuration_file.php]
It is suggested you build this into your CI pipeline to automate checking it.
This tool can use two different sources for retrieving licensing information: using the composer licenses
command and parsing the installed.json
file created by Composer.
Specify --provider-id=json
.
The tool will parse the installed.json
file created by Composer which has all the relevant information. This does not require Composer to be installed in the environment the tool is executed within. This file is internal to Composer however, so there is the potential that the schema may change in the future. If you experience issues, try using the composer licenses
provider and report the issue.
Specify --provider-id=licenses
.
The composer licenses
command provides a (potentially) more stable API for retrieving licensing information. This however requires the tool to execute composer
so it must be installed in the environment the tool is run within.