Lock files are common for dependencies. But how do we make sure we are only using libraries that have compatible licenses? The idea of the license locker is to generate lock files, which are basically a list of libraries and their licenses, and have some periodic check (eg. integrated into CI) to make sure no unwanted dependency with an incompatible license sneaked in.
Generate lock file:
./license-locker.sh --generate
Check whether lock file is up to date:
./license-locker.sh --check
--packager
package manager. This option is optional and if not specified, this script tries to guess. Currently supported:npm
(via license-checker) andcargo
(via cargo-license)
- generate lock file and commit it to the version control system
- generate lock file (will be overwritten) and commit update to version control system
- run
--check
to make sure nobody forgot to update the lock file
Contributions are very welcome. When making a pull request, please make sure the script passes all checks from shellcheck.