inform users who publish with empty license of legal implications

[seldo]

A polite message saying "you have no license field. Without one, it's unclear who can legally use your code and how. Are you sure you want to publish without a license?"

Alternative suggestions welcome.

[nzakas]

This sounds great. What I'd expect is something like:

$ npm publish
Oops! It looks like your package.json is missing a license field. 
Without one, it's unclear who can legally use your code and how. 
Are you sure you want to publish without a license? [Y/n]

Maybe when n is selected, a followup message with information about where to find more information?

[phpnode]

nudge them in the right direction by making n default?

[sindresorhus]

The license field should IMHO be required when publishing to the registry. A package without one is useless for anyone else and doesn't belong in the registry.

[timoxley]

Note that despite not enforcing licenses github is still useful.

If npm is going to start warning users before publishing there's other things that could do with warnings (e.g. * dependencies, no tests, no repo/home) Perhaps this could go under an npm check or npm audit or npm doctor command which should be run before publishing if you want to make sure your package is wholesome.

[kemitchell]

Does npm have publicly posted terms of service for repository hosting, in addition to the Artistic License for the command-line client itself? I can't seem to find any. The closest is a "code of conduct".

GitHub's terms of service have:

F.1. [...] However, by setting your pages to be viewed publicly, you agree to allow others to view your Content. By setting your repositories to be viewed publicly, you agree to allow others to view and fork your repositories.

[seldo]

We have a Privacy Policy https://www.npmjs.com/policies/privacy but it is fairly generic and focused on the website. We are in the process of clarifying + expanding our policy documents to better reflect private module hosting, and I'll add this to the list of things to make clearer.

[othiym23]

This is partially addressed by the resolution of #8179 – multiple licenses can be included by using an SPDX license expression, npm init now prompts for an SPDX-compliant license expression, and npm install warns when "license" is missing or isn't parseable as an SPDX license expression. See the release notes for npm@2.10.0 for details.

There are some aspects of this discussion – like enforcement of the presence of a license on the registry side, including clear language warning about the legal implications on validation, and improving the terms of service for hosting – that aren't yet addressed by npm, so I'm leaving this issue open for now. Once we've got something in place that @seldo thinks fulfills the spirit of his request in the original post, we can split the remaining issues out into separate threads and close this issue.

[kemitchell]

@npm should consult its legal counsel about all three remaining aspects---enforcing licensing, warnings, and terms of service. Unfortunately, I can't weigh in on those topics via GitHub, for various "totally lame" professional reasons.

[seldo]

The warnings as implemented in 2.10.0 are sufficient for what I had in mind. You can close this ticket as far as I'm concerned, @othiym23.

@kemitchell: we are definitely not going to stride into the minefield of attempting to enforce licensing, nor @sindresorhus are we going to require a license if you ignore our nudge that it's a good idea to have one; that seems like added friction and we are against that :-)

@kemitchell's point about our terms of service for hosting benefiting from clearer language is well made; I'm going to create an issue internally for @rod11 to track that.

[othiym23]

@seldo 👍, closing per your recommendation. Thanks, everybody!