GPL-3.0 and AGPL-3.0 are strong copyleft licenses: if you distribute software that includes GPL-licensed code as a combined work, you are legally required to release your entire application's source code under the GPL. AGPL extends this obligation to server-side use — running an AGPL-licensed library as part of a SaaS application may trigger source disclosure obligations. This is not a theoretical risk; companies have faced legal action for GPL non-compliance. CWE-1357 covers the risk of using components whose terms you have not adequately evaluated. This check is rated critical because the business consequence — compelled open-sourcing of proprietary code — is irreversible and can fundamentally undermine your competitive position or commercial model.
Critical because GPL or AGPL in production dependencies of a proprietary commercial application may legally compel source disclosure of the entire codebase, an irreversible and commercially catastrophic outcome.
For each GPL or AGPL dependency, find a permissively-licensed alternative first. If no alternative exists, check whether the package offers a commercial license exception. Automate license compliance in CI:
npx license-checker --production --failOn 'GPL-2.0;GPL-3.0;AGPL-3.0'
Store the approved license allow-list in a .config/license-policy.json and run the check on every build. For LGPL packages (a weaker copyleft), document that they are used without modification — LGPL permits use in proprietary software when the LGPL component remains replaceable.
ID: dependency-supply-chain.license.no-copyleft-violation
Severity: critical
What to look for: Examine production dependencies (dependencies in package.json) for packages licensed under GPL (v2 or v3), AGPL, LGPL, EUPL, or other copyleft licenses. The most common culprits in the npm ecosystem are: packages using GPL for their CLI while offering a commercial license, packages that changed licenses in newer versions, and packages that carry LGPL which may require dynamic linking accommodations. Common signals: check the license field in each package's own package.json (accessible at node_modules/package-name/package.json). GPL and AGPL in a proprietary project's dependencies means you may be legally obligated to release your source code. Count every dependency with a copyleft license (GPL, AGPL, LGPL, MPL) and enumerate each. Classify whether the usage pattern triggers copyleft obligations.
Pass criteria: All production dependencies use permissive licenses (MIT, Apache 2.0, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD, CC0) or licenses with acceptable commercial terms. No GPL, AGPL, or EUPL licenses in production dependencies for a proprietary project. Weak copyleft licenses (MPL-2.0, LGPL-2.1, LGPL-3.0): These are a PASS, not a fail, but the detail field MUST note the obligation. MPL-2.0 requires that modifications to MPL-licensed files be released under MPL-2.0 (file-level copyleft). LGPL requires that the LGPL component remain replaceable. Example detail for a pass with weak copyleft: "All production licenses permissive. Note: next-mdx-remote@5.0.0 is MPL-2.0 — modifications to its source files must be released under MPL-2.0 (file-level copyleft obligation). No action needed if using without modification." At least 1 implementation must be confirmed.
Fail criteria: One or more production dependencies use GPL, AGPL, EUPL, or another strong copyleft license, and the project appears to be a proprietary commercial application. Weak copyleft (MPL-2.0, LGPL) does NOT trigger a fail — see pass criteria for handling.
Skip (N/A) when: The project is itself open-source under a GPL-compatible license (check the project's own license field in package.json or a LICENSE file). Or: no package.json detected.
Cross-reference: The no-unknown-licenses check identifies packages with unresolvable licenses that may hide copyleft obligations.
Detail on fail: "Package 'some-gpl-lib@2.0.0' in dependencies is licensed GPL-3.0 — using GPL-licensed packages in proprietary commercial software may require releasing your source code" List up to 3 packages.
Remediation: Using GPL-licensed packages in a proprietary commercial application may legally obligate you to release your entire application's source code. This is a serious business and legal risk.
For each GPL-licensed dependency:
LGPL is somewhat less restrictive — it generally allows use in proprietary software if the LGPL component is dynamically linked and replaceable. But this is nuanced in the Node.js context.
Note: This check cannot determine your project's commercial vs. open-source intent with certainty — it flags the risk for your review.
Run npx license-checker --production --onlyAllow from package.json scripts to catch copyleft violations. Store the allow-list in .config/license-policy.json.